Code

Opened 5 years ago

Closed 5 years ago

#11001 closed (invalid)

Crash (double free) on OpenBSD on POST request

Reported by: TheStarch@… Owned by: nobody
Component: Core (Other) Version: 1.0
Severity: Keywords: segfault openbsd
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

I currently experience crashes when issuing some POST request on my application. Repoduced anytime with:

% ./manage.py shell
>>> from django.test.client import Client
>>> c = Client()
>>> c.post('/admin/')
python in free(): error: bogus pointer (double free?)

The code used to not crash, and one day, I found it not working anymore. I am definitively unable to find the cause of the behaviour change.

Box configuration

% uname -mprsv
OpenBSD 4.5 GENERIC.MP#0 i386 Intel(R) Atom(TM) CPU N270 @ 1.60GHz ("GenuineIntel" 686-class)
% ./manage.py shell                                                                                             15:30
Python 2.5.4 (r254:67916, Mar  1 2009, 15:10:20) 
[GCC 3.3.5 (propolice)] on openbsd4
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> import django
>>> django.get_version()
'1.0.2 final'

I tried the very same code on another box (not same hardware) with same
OS, python and django versions, and it works (I so hope this is not an
hardware issue).

Some debugging

I narrowed down the source of the error to the following line from
django/http/multipartparser.py file using pdb. Do not hesitate asking some more information.

609             yield parse_boundary_stream(sub_stream, 1024)

Please find below the stack extracted from gdb. I tried using pystack but it not seems working.

#0  0x09fa6f81 in kill () from /usr/lib/libc.so.50.1
#1  0x09ff3907 in abort () at /usr/src/lib/libc/stdlib/abort.c:68
#2  0x09fcb8e1 in wrterror (p=0x29f766ee "bogus pointer (double free?)") at /usr/src/lib/libc/stdlib/malloc.c:375
#3  0x09fcd2cd in free (ptr=0x80fca5d4) at /usr/src/lib/libc/stdlib/malloc.c:1328
#4  0x09f9e2b1 in bm_free (pat=0x823d1000) at /usr/src/lib/libc/string/bm.c:142
#5  0x079dcd2b in mxBMS_Free () from /usr/local/lib/python2.5/site-packages/mx/TextTools/mxTextTools/mxTextTools.so
#6  0x00170b41 in meth_dealloc () from /usr/local/lib/libpython2.5.so.1.0
#7  0x0016e410 in dict_dealloc () from /usr/local/lib/libpython2.5.so.1.0
#8  0x001838bb in subtype_dealloc () from /usr/local/lib/libpython2.5.so.1.0
#9  0x0016e410 in dict_dealloc () from /usr/local/lib/libpython2.5.so.1.0
#10 0x001838bb in subtype_dealloc () from /usr/local/lib/libpython2.5.so.1.0
#11 0x001adc67 in PyEval_EvalFrameEx () from /usr/local/lib/libpython2.5.so.1.0
#12 0x001b1be6 in fast_function () from /usr/local/lib/libpython2.5.so.1.0
#13 0x001b17a1 in call_function () from /usr/local/lib/libpython2.5.so.1.0
#14 0x001afa5f in PyEval_EvalFrameEx () from /usr/local/lib/libpython2.5.so.1.0
#15 0x001b1be6 in fast_function () from /usr/local/lib/libpython2.5.so.1.0
#16 0x001b17a1 in call_function () from /usr/local/lib/libpython2.5.so.1.0
#17 0x001afa5f in PyEval_EvalFrameEx () from /usr/local/lib/libpython2.5.so.1.0
#18 0x001b1be6 in fast_function () from /usr/local/lib/libpython2.5.so.1.0
#19 0x001b17a1 in call_function () from /usr/local/lib/libpython2.5.so.1.0
#20 0x001afa5f in PyEval_EvalFrameEx () from /usr/local/lib/libpython2.5.so.1.0
#21 0x001b03c8 in PyEval_EvalCodeEx () from /usr/local/lib/libpython2.5.so.1.0
#22 0x0016188a in function_call () from /usr/local/lib/libpython2.5.so.1.0
#23 0x00148a28 in PyObject_Call () from /usr/local/lib/libpython2.5.so.1.0
#24 0x00148ac4 in call_function_tail () from /usr/local/lib/libpython2.5.so.1.0
#25 0x00148b57 in PyObject_CallFunction () from /usr/local/lib/libpython2.5.so.1.0
#26 0x00154511 in property_descr_get () from /usr/local/lib/libpython2.5.so.1.0
#27 0x00173043 in PyObject_GenericGetAttr () from /usr/local/lib/libpython2.5.so.1.0
#28 0x00172ba5 in PyObject_GetAttr () from /usr/local/lib/libpython2.5.so.1.0
#29 0x001af527 in PyEval_EvalFrameEx () from /usr/local/lib/libpython2.5.so.1.0
#30 0x001b03c8 in PyEval_EvalCodeEx () from /usr/local/lib/libpython2.5.so.1.0
#31 0x0016188a in function_call () from /usr/local/lib/libpython2.5.so.1.0
#32 0x00148a28 in PyObject_Call () from /usr/local/lib/libpython2.5.so.1.0
#33 0x001b20a3 in ext_do_call () from /usr/local/lib/libpython2.5.so.1.0
#34 0x001afdbe in PyEval_EvalFrameEx () from /usr/local/lib/libpython2.5.so.1.0
#35 0x001b03c8 in PyEval_EvalCodeEx () from /usr/local/lib/libpython2.5.so.1.0
#36 0x001b1b63 in fast_function () from /usr/local/lib/libpython2.5.so.1.0
#37 0x001b17a1 in call_function () from /usr/local/lib/libpython2.5.so.1.0
#38 0x001afa5f in PyEval_EvalFrameEx () from /usr/local/lib/libpython2.5.so.1.0
#39 0x001b03c8 in PyEval_EvalCodeEx () from /usr/local/lib/libpython2.5.so.1.0
#40 0x0016188a in function_call () from /usr/local/lib/libpython2.5.so.1.0
#41 0x00148a28 in PyObject_Call () from /usr/local/lib/libpython2.5.so.1.0
#42 0x001b20a3 in ext_do_call () from /usr/local/lib/libpython2.5.so.1.0
#43 0x001afdbe in PyEval_EvalFrameEx () from /usr/local/lib/libpython2.5.so.1.0
#44 0x001b1be6 in fast_function () from /usr/local/lib/libpython2.5.so.1.0
#45 0x001b17a1 in call_function () from /usr/local/lib/libpython2.5.so.1.0
#46 0x001afa5f in PyEval_EvalFrameEx () from /usr/local/lib/libpython2.5.so.1.0
#47 0x001b03c8 in PyEval_EvalCodeEx () from /usr/local/lib/libpython2.5.so.1.0
#48 0x0016188a in function_call () from /usr/local/lib/libpython2.5.so.1.0
#49 0x00148a28 in PyObject_Call () from /usr/local/lib/libpython2.5.so.1.0
#50 0x0014fb44 in instancemethod_call () from /usr/local/lib/libpython2.5.so.1.0
#51 0x00148a28 in PyObject_Call () from /usr/local/lib/libpython2.5.so.1.0
#52 0x0018bba2 in slot_tp_call () from /usr/local/lib/libpython2.5.so.1.0
#53 0x00148a28 in PyObject_Call () from /usr/local/lib/libpython2.5.so.1.0
#54 0x001b1ed9 in do_call () from /usr/local/lib/libpython2.5.so.1.0
#55 0x001b172e in call_function () from /usr/local/lib/libpython2.5.so.1.0
#56 0x001afa5f in PyEval_EvalFrameEx () from /usr/local/lib/libpython2.5.so.1.0
#57 0x001b03c8 in PyEval_EvalCodeEx () from /usr/local/lib/libpython2.5.so.1.0
#58 0x0016188a in function_call () from /usr/local/lib/libpython2.5.so.1.0
#59 0x00148a28 in PyObject_Call () from /usr/local/lib/libpython2.5.so.1.0
#60 0x001b20a3 in ext_do_call () from /usr/local/lib/libpython2.5.so.1.0
#61 0x001afdbe in PyEval_EvalFrameEx () from /usr/local/lib/libpython2.5.so.1.0
#62 0x001b03c8 in PyEval_EvalCodeEx () from /usr/local/lib/libpython2.5.so.1.0
#63 0x001b1b63 in fast_function () from /usr/local/lib/libpython2.5.so.1.0
#64 0x001b17a1 in call_function () from /usr/local/lib/libpython2.5.so.1.0
#65 0x001afa5f in PyEval_EvalFrameEx () from /usr/local/lib/libpython2.5.so.1.0
#66 0x001b03c8 in PyEval_EvalCodeEx () from /usr/local/lib/libpython2.5.so.1.0
#67 0x001ad59b in PyEval_EvalCode () from /usr/local/lib/libpython2.5.so.1.0
#68 0x001b2db9 in exec_statement () from /usr/local/lib/libpython2.5.so.1.0
#69 0x001aef13 in PyEval_EvalFrameEx () from /usr/local/lib/libpython2.5.so.1.0
#70 0x001b03c8 in PyEval_EvalCodeEx () from /usr/local/lib/libpython2.5.so.1.0
#71 0x001b1b63 in fast_function () from /usr/local/lib/libpython2.5.so.1.0
#72 0x001b17a1 in call_function () from /usr/local/lib/libpython2.5.so.1.0
#73 0x001afa5f in PyEval_EvalFrameEx () from /usr/local/lib/libpython2.5.so.1.0
#74 0x001b03c8 in PyEval_EvalCodeEx () from /usr/local/lib/libpython2.5.so.1.0
#75 0x001b1b63 in fast_function () from /usr/local/lib/libpython2.5.so.1.0
#76 0x001b17a1 in call_function () from /usr/local/lib/libpython2.5.so.1.0
#77 0x001afa5f in PyEval_EvalFrameEx () from /usr/local/lib/libpython2.5.so.1.0
#78 0x001b1be6 in fast_function () from /usr/local/lib/libpython2.5.so.1.0
#79 0x001b17a1 in call_function () from /usr/local/lib/libpython2.5.so.1.0
#80 0x001afa5f in PyEval_EvalFrameEx () from /usr/local/lib/libpython2.5.so.1.0
#81 0x001b03c8 in PyEval_EvalCodeEx () from /usr/local/lib/libpython2.5.so.1.0
#82 0x001b1b63 in fast_function () from /usr/local/lib/libpython2.5.so.1.0
#83 0x001b17a1 in call_function () from /usr/local/lib/libpython2.5.so.1.0
#84 0x001afa5f in PyEval_EvalFrameEx () from /usr/local/lib/libpython2.5.so.1.0
#85 0x001b03c8 in PyEval_EvalCodeEx () from /usr/local/lib/libpython2.5.so.1.0
#86 0x001b1b63 in fast_function () from /usr/local/lib/libpython2.5.so.1.0
#87 0x001b17a1 in call_function () from /usr/local/lib/libpython2.5.so.1.0
#88 0x001afa5f in PyEval_EvalFrameEx () from /usr/local/lib/libpython2.5.so.1.0
#89 0x001b03c8 in PyEval_EvalCodeEx () from /usr/local/lib/libpython2.5.so.1.0
#90 0x0016188a in function_call () from /usr/local/lib/libpython2.5.so.1.0
#91 0x00148a28 in PyObject_Call () from /usr/local/lib/libpython2.5.so.1.0
#92 0x001b20a3 in ext_do_call () from /usr/local/lib/libpython2.5.so.1.0
#93 0x001afdbe in PyEval_EvalFrameEx () from /usr/local/lib/libpython2.5.so.1.0
#94 0x001b03c8 in PyEval_EvalCodeEx () from /usr/local/lib/libpython2.5.so.1.0
#95 0x0016188a in function_call () from /usr/local/lib/libpython2.5.so.1.0
#96 0x00148a28 in PyObject_Call () from /usr/local/lib/libpython2.5.so.1.0
#97 0x001b20a3 in ext_do_call () from /usr/local/lib/libpython2.5.so.1.0
#98 0x001afdbe in PyEval_EvalFrameEx () from /usr/local/lib/libpython2.5.so.1.0
#99 0x001b03c8 in PyEval_EvalCodeEx () from /usr/local/lib/libpython2.5.so.1.0
#100 0x0016188a in function_call () from /usr/local/lib/libpython2.5.so.1.0
#101 0x00148a28 in PyObject_Call () from /usr/local/lib/libpython2.5.so.1.0
#102 0x001b20a3 in ext_do_call () from /usr/local/lib/libpython2.5.so.1.0
#103 0x001afdbe in PyEval_EvalFrameEx () from /usr/local/lib/libpython2.5.so.1.0
#104 0x001b1be6 in fast_function () from /usr/local/lib/libpython2.5.so.1.0
#105 0x001b17a1 in call_function () from /usr/local/lib/libpython2.5.so.1.0
#106 0x001afa5f in PyEval_EvalFrameEx () from /usr/local/lib/libpython2.5.so.1.0
#107 0x001b1be6 in fast_function () from /usr/local/lib/libpython2.5.so.1.0
#108 0x001b17a1 in call_function () from /usr/local/lib/libpython2.5.so.1.0
#109 0x001afa5f in PyEval_EvalFrameEx () from /usr/local/lib/libpython2.5.so.1.0
#110 0x001b03c8 in PyEval_EvalCodeEx () from /usr/local/lib/libpython2.5.so.1.0
#111 0x001b1b63 in fast_function () from /usr/local/lib/libpython2.5.so.1.0
#112 0x001b17a1 in call_function () from /usr/local/lib/libpython2.5.so.1.0
#113 0x001afa5f in PyEval_EvalFrameEx () from /usr/local/lib/libpython2.5.so.1.0
#114 0x001b03c8 in PyEval_EvalCodeEx () from /usr/local/lib/libpython2.5.so.1.0
#115 0x001ad59b in PyEval_EvalCode () from /usr/local/lib/libpython2.5.so.1.0
#116 0x001cbdd6 in run_mod () from /usr/local/lib/libpython2.5.so.1.0
#117 0x001cbd64 in PyRun_FileExFlags () from /usr/local/lib/libpython2.5.so.1.0
#118 0x001cae81 in PyRun_SimpleFileExFlags () from /usr/local/lib/libpython2.5.so.1.0
#119 0x001ca88d in PyRun_AnyFileExFlags () from /usr/local/lib/libpython2.5.so.1.0
#120 0x001d4fa9 in Py_Main () from /usr/local/lib/libpython2.5.so.1.0
#121 0x1c000e3c in main ()

Attachments (0)

Change History (2)

comment:1 Changed 5 years ago by ramiro

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

The stack dump shows mxTextTools is, for some reason, involved:

#5  0x079dcd2b in mxBMS_Free () from /usr/local/lib/python2.5/site-packages/mx/TextTools/mxTextTools/mxTextTools.so

Can you try testing without that module installed?

comment:2 Changed 5 years ago by TheStarch@…

  • Resolution set to invalid
  • Status changed from new to closed

You guessed perfectly right. This module was installed as dependency to pylint and after removing it, my application worked fine again.

Sorry for the noise, and thank you for the quick answer.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.