Skip to content

Segfault deallocating a ContextVar built with str subclass #132002

New issue
New issue
Closed
Closed
Segfault deallocating a ContextVar built with str subclass#132002
Assignees
sobolevn
Labels
3.12only security fixes3.13bugs and security fixes3.14bugs and security fixesextension-modulesC modules in the Modules dirtype-crashA hard crash of the interpreter, possibly with a core dump
@devdanzin

Description

@devdanzin
devdanzin
opened on Apr 2, 2025

Crash report

What happened?

Creating a ContextVar with an instance of a subclass of str leads to a segfault during its deallocation:

from _contextvars import ContextVar

class weird_str(str):
    def __eq__(self, other):
        pass

ContextVar(weird_str())

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
contextvar_tp_clear (op=op@entry=<_contextvars.ContextVar at remote 0x7ffff7ac7150>) at Python/context.c:935
935         Py_CLEAR(self->var_name);
(gdb) bt
#0  contextvar_tp_clear (op=op@entry=<_contextvars.ContextVar at remote 0x7ffff7ac7150>) at Python/context.c:935
#1  0x000055555587e395 in contextvar_tp_dealloc (self=<_contextvars.ContextVar at remote 0x7ffff7ac7150>) at Python/context.c:958
#2  0x00005555556ffa08 in _Py_Dealloc (op=op@entry=<_contextvars.ContextVar at remote 0x7ffff7ac7150>) at Objects/object.c:3021
#3  0x000055555587e672 in Py_DECREF (op=<_contextvars.ContextVar at remote 0x7ffff7ac7150>, lineno=883,
    filename=0x555555a49efe "Python/context.c") at ./Include/refcount.h:416
#4  contextvar_new (name=<weird_str() at remote 0x7ffff7bc7260>, def=0x0) at Python/context.c:883
#5  0x000055555587e6fe in contextvar_tp_new (type=<optimized out>, args=<optimized out>, kwds=<optimized out>)
    at Python/context.c:928
#6  0x000055555574692f in type_call (self=<type at remote 0x555555bff380>, args=(<weird_str() at remote 0x7ffff7bc7260>,), kwds=0x0)
    at Objects/typeobject.c:2244
#7  0x000055555567b9a7 in _PyObject_MakeTpCall (tstate=tstate@entry=0x555555c69558 <_PyRuntime+330424>,
    callable=callable@entry=<type at remote 0x555555bff380>, args=args@entry=0x7fffffffd7c8, nargs=<optimized out>,
    keywords=keywords@entry=0x0) at Objects/call.c:242
#8  0x000055555567bdc8 in _PyObject_VectorcallTstate (tstate=0x555555c69558 <_PyRuntime+330424>,
    callable=<type at remote 0x555555bff380>, args=0x7fffffffd7c8, nargsf=<optimized out>, kwnames=0x0)
    at ./Include/internal/pycore_call.h:167
#9  0x000055555567bdf4 in PyObject_Vectorcall (callable=callable@entry=<type at remote 0x555555bff380>,
    args=args@entry=0x7fffffffd7c8, nargsf=<optimized out>, kwnames=kwnames@entry=0x0) at Objects/call.c:327
#10 0x000055555582f4c0 in _PyEval_EvalFrameDefault (tstate=tstate@entry=0x555555c69558 <_PyRuntime+330424>,
    frame=frame@entry=0x7ffff7fb0020, throwflag=throwflag@entry=0) at Python/generated_cases.c.h:1366
#11 0x000055555585cd69 in _PyEval_EvalFrame (throwflag=0, frame=0x7ffff7fb0020, tstate=0x555555c69558 <_PyRuntime+330424>)
    at ./Include/internal/pycore_ceval.h:119

Found using fusil by @vstinner.

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux, Windows

Output from running 'python -VV' on the command line:

Python 3.14.0a6+ (heads/main:be2d2181e62, Mar 31 2025, 07:30:17) [GCC 11.4.0]

Linked PRs

Metadata

Metadata

Assignees

Labels

3.12only security fixes3.13bugs and security fixes3.14bugs and security fixesextension-modulesC modules in the Modules dirtype-crashA hard crash of the interpreter, possibly with a core dump

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions