Open nyibbang opened 4 years ago
Hello, this issue sounds similar to what I guess I have found in Debian Bug#1009739.
I think the issue here is, that the member PyLongObject
of the struct enum_object
is intended to be a variable length object, and at i386 the function PyLong_FromLong
assumes to be able to store more than one element into the ob_digit
member of the PyLongObject
. It does so by attempting to store a pointer value of 0x9e56f410
== -1638468592
or unsigned 2656498704
in three elements in ob_digit
.
Storing two elements would be no issue due to the padding added in my case, but the third element of ob_digit
occupies the same memory as the enum_object.name
member. In my case it wrote also the value 1 there, which therefore is tried to be freed later in enum_dealloc
.
Adding a few bytes between the PyLongObject base_object
and PyObject *name
did work around the crash in my tests.
(rr) ptype /o self
type = struct boost::python::objects::enum_object {
/* 0 | 16 */ PyLongObject base_object;
/* 16 | 4 */ PyObject *name;
/* total size (bytes): 20 */
} *
(rr) ptype /o PyLongObject
type = struct _longobject {
/* 0 | 12 */ PyVarObject ob_base;
/* 12 | 2 */ digit ob_digit[1];
/* XXX 2-byte padding */
/* total size (bytes): 16 */
}
Hello,
I'm having an issue on our libqi-python project using boost-python 1.64, with Python 3.8 on a 32bits (x86) system. I could not find an existing issue related to this problem so I'm creating a new one.
In one of our files, we export an enum to python:
with the enum being declared in our main project (libqi) at this line:
The crash occurs when we export the
Infinite
value of the enum which is set toINT_MAX
. Weirdly enough it works fine on my host (Ubuntu 16.04 x86_64) but segfaults on one of our other 32 bits x86 system when cross-compiled.Here is the backtrace when the crash occurs:
It seems the crash occurs from the
enum_base::add_value
function, at thePy_XDECREF(p->name)
call. The object pointed byenum_object* p
seems incorrect, with thename
member having an invalid pointer value of0x1
.From my investigations the size of int is 4 bytes on each system (therefore
INT_MAX
value is2147483647
on both systems). I'm also pretty sure that it worked fine when when we had Python 3.5 on the 32 bits system.Another thing is I tried changing the value from
INT_MAX
toINT_MAX / 2
and it seemed to fix the issue, but withINT_MAX / 2 + 1
and above, it started segfaulting again.Thank you for your help.