Skip to content

Store a reference from PDFInfo python object to its parent PDF python object

veprbl requested to merge veprbl/lhapdf:pr/add_pdf_ref into master

There is an issue with the following use case

lhapdf.mkPDF(...).info().get_entry(...)

that would lead to crashes on macOS/clang7.

Compiling with -fsanitize=address reveals a following issue:

==52767==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000001be0 at pc 0x000105bbc799 bp 0x7ffeeeecdb50 sp 0x7ffeeeecdb48
READ of size 8 at 0x611000001be0 thread T0
    #0 0x105bbc798 in __pyx_pf_6lhapdf_4Info_4get_entry(__pyx_obj_6lhapdf_Info*, _object*, _object*) (/nix/store/gakc601phkhifz7cq225h14gyl7qaql6-lhapdf-6.3.0/lib/python3.8/site-packages/lhapdf.cpython-38-darwin.so:x86_64+0x2d798)
    #1 0x105bb81c3 in __pyx_pw_6lhapdf_4Info_5get_entry(_object*, _object*, _object*) (/nix/store/gakc601phkhifz7cq225h14gyl7qaql6-lhapdf-6.3.0/lib/python3.8/site-packages/lhapdf.cpython-38-darwin.so:x86_64+0x291c3)
    #2 0x101c9f57b in method_vectorcall_VARARGS_KEYWORDS (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x2f57b)
    #3 0x101d82261 in call_function (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x112261)
    #4 0x101d7ef55 in _PyEval_EvalFrameDefault (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x10ef55)
    #5 0x101d8345d in _PyEval_EvalCodeWithName (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x11345d)
    #6 0x101d77ddf in PyEval_EvalCode (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x107ddf)
    #7 0x101dcc872 in PyRun_StringFlags (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x15c872)
    #8 0x101dcc724 in PyRun_SimpleStringFlags (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x15c724)
    #9 0x101decb43 in Py_RunMain (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x17cb43)
    #10 0x101ded912 in pymain_main (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x17d912)
    #11 0x101ded998 in Py_BytesMain (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x17d998)
    #12 0x100d30f23 in start (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/bin/python3:x86_64+0x100000f23)

0x611000001be0 is located 32 bytes inside of 200-byte region [0x611000001bc0,0x611000001c88)
freed by thread T0 here:
    #0 0x100d9ad72 in wrap__ZdlPv (/nix/store/4r79h6gv043bishn0zqy5prg4r425p43-compiler-rt-7.1.0/lib/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x66d72)
    #1 0x105b9b1cb in __pyx_tp_dealloc_6lhapdf_PDF(_object*) (/nix/store/gakc601phkhifz7cq225h14gyl7qaql6-lhapdf-6.3.0/lib/python3.8/site-packages/lhapdf.cpython-38-darwin.so:x86_64+0xc1cb)
    #2 0x101d82374 in call_function (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x112374)
    #3 0x101d7ef55 in _PyEval_EvalFrameDefault (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x10ef55)
    #4 0x101d8345d in _PyEval_EvalCodeWithName (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x11345d)
    #5 0x101d77ddf in PyEval_EvalCode (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x107ddf)
    #6 0x101dcc872 in PyRun_StringFlags (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x15c872)
    #7 0x101dcc724 in PyRun_SimpleStringFlags (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x15c724)
    #8 0x101decb43 in Py_RunMain (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x17cb43)
    #9 0x101ded912 in pymain_main (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x17d912)
    #10 0x101ded998 in Py_BytesMain (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x17d998)
    #11 0x100d30f23 in start (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/bin/python3:x86_64+0x100000f23)

previously allocated by thread T0 here:
    #0 0x100d9a772 in wrap__Znwm (/nix/store/4r79h6gv043bishn0zqy5prg4r425p43-compiler-rt-7.1.0/lib/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x66772)
    #1 0x105d02e91 in LHAPDF::mkPDF(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, int) (/nix/store/gakc601phkhifz7cq225h14gyl7qaql6-lhapdf-6.3.0/lib/libLHAPDF.dylib:x86_64+0x47e91)
    #2 0x105d03af4 in LHAPDF::mkPDF(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) (/nix/store/gakc601phkhifz7cq225h14gyl7qaql6-lhapdf-6.3.0/lib/libLHAPDF.dylib:x86_64+0x48af4)
    #3 0x105bdc049 in __pyx_f_6lhapdf_mkPDF_setmemstr(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >) (/nix/store/gakc601phkhifz7cq225h14gyl7qaql6-lhapdf-6.3.0/lib/python3.8/site-packages/lhapdf.cpython-38-darwin.so:x86_64+0x4d049)
    #4 0x105bdb884 in __pyx_pf_6lhapdf_8mkPDF(_object*, _object*) (/nix/store/gakc601phkhifz7cq225h14gyl7qaql6-lhapdf-6.3.0/lib/python3.8/site-packages/lhapdf.cpython-38-darwin.so:x86_64+0x4c884)
    #5 0x105bdad0e in __pyx_pw_6lhapdf_9mkPDF(_object*, _object*, _object*) (/nix/store/gakc601phkhifz7cq225h14gyl7qaql6-lhapdf-6.3.0/lib/python3.8/site-packages/lhapdf.cpython-38-darwin.so:x86_64+0x4bd0e)
    #6 0x101c95a99 in cfunction_call_varargs (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x25a99)
    #7 0x101c95445 in _PyObject_MakeTpCall (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x25445)
    #8 0x101d8233e in call_function (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x11233e)
    #9 0x101d7ef72 in _PyEval_EvalFrameDefault (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x10ef72)
    #10 0x101d8345d in _PyEval_EvalCodeWithName (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x11345d)
    #11 0x101d77ddf in PyEval_EvalCode (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x107ddf)
    #12 0x101dcc872 in PyRun_StringFlags (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x15c872)
    #13 0x101dcc724 in PyRun_SimpleStringFlags (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x15c724)
    #14 0x101decb43 in Py_RunMain (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x17cb43)
    #15 0x101ded912 in pymain_main (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x17d912)
    #16 0x101ded998 in Py_BytesMain (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/lib/libpython3.8.dylib:x86_64+0x17d998)
    #17 0x100d30f23 in start (/nix/store/xf3244kbn36z04yw98mpgvvsgdcbz438-python3-3.8.8/bin/python3:x86_64+0x100000f23)

SUMMARY: AddressSanitizer: heap-use-after-free (/nix/store/gakc601phkhifz7cq225h14gyl7qaql6-lhapdf-6.3.0/lib/python3.8/site-packages/lhapdf.cpython-38-darwin.so:x86_64+0x2d798) in __pyx_pf_6lhapdf_4Info_4get_entry(__pyx_obj_6lhapdf_Info*, _object*, _object*)
Shadow bytes around the buggy address:
  0x1c2200000320: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x1c2200000330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2200000340: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c2200000350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2200000360: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
=>0x1c2200000370: fa fa fa fa fa fa fa fa fd fd fd fd[fd]fd fd fd
  0x1c2200000380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2200000390: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c22000003a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c22000003b0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x1c22000003c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==52767==ABORTING

Merge request reports