[Bug-readline] SIGSEGV in _rl_dispatch_callback()

[Anatol Pomozov]

Hi,

It is a follow-up for a Linux Arch bug https://bugs.archlinux.org/task/39144

After upgrading system to readline 6.3 we started seeing a crash that
can be reproduced using 'ipython' command-line tool. Here are the
steps:

- run 'ipython'
- type 'import'
- press up, down, up
- SIGSEGV!!!

Downgrading readline back to 6.2 fixes the issue.


Here is some information from the debug session:

$ systemd-coredumpctl gdb

(gdb) bt
#0 0x00007fb714b0e849 in _rl_dispatch_callback () from /usr/lib/libreadline.so.6
#1 0x00007fb714b24ca0 in rl_callback_read_char () from /usr/lib/libreadline.so.6
#2 0x00007fb714d43acb in ?? () from
/usr/lib/python3.3/lib-dynload/readline.cpython-33m.so
#3 0x00007fb71b0bae4f in PyOS_Readline (sys_stdin=0x7fb71ae404e0
<_IO_2_1_stdin_>, sys_stdout=0x7fb71ae402a0 <_IO_2_1_stdout_>,
prompt=0x7fb7169f0960 "\n\001\033[0;32m\002In
[\001\033[1;32m\002\061\001\033[0;32m\002]: \001\033[0m\002") at
Parser/myreadline.c:214
#4 0x00007fb71b1646f6 in builtin_input (self=<optimized out>,
args=<optimized out>) at Python/bltinmodule.c:1734
#5 0x00007fb71b16f94c in call_function (oparg=<optimized out>,
pp_stack=0x7fff753b13a0) at Python/ceval.c:4069
#6 PyEval_EvalFrameEx (address@hidden,
address@hidden) at Python/ceval.c:2679
#7 0x00007fb71b1703b1 in PyEval_EvalCodeEx
(address@hidden, globals=<optimized out>,
address@hidden, args=<optimized out>,
address@hidden, kws=0x293a630, kwcount=0,
defs=0x7fb716881f68, defcount=1, kwdefs=0x0, closure=0x0) at Python/ceval.c:3439
#8 0x00007fb71b16f3b9 in fast_function (nk=<optimized out>, na=2,
n=<optimized out>, pp_stack=0x7fff753b15c0, func=<optimized out>) at
Python/ceval.c:4167
#9 call_function (oparg=<optimized out>, pp_stack=0x7fff753b15c0) at
Python/ceval.c:4090
#10 PyEval_EvalFrameEx (address@hidden,
address@hidden) at Python/ceval.c:2679
#11 0x00007fb71b1703b1 in PyEval_EvalCodeEx
(address@hidden, globals=<optimized out>,
address@hidden, args=<optimized out>,
address@hidden, kws=0x28c84d8, kwcount=1,
defs=0x7fb716881f28, defcount=1, kwdefs=0x0, closure=0x0) at Python/ceval.c:3439
#12 0x00007fb71b16f3b9 in fast_function (nk=<optimized out>, na=1,
n=<optimized out>, pp_stack=0x7fff753b17e0, func=<optimized out>) at
Python/ceval.c:4167
#13 call_function (oparg=<optimized out>, pp_stack=0x7fff753b17e0) at
Python/ceval.c:4090
#14 PyEval_EvalFrameEx (address@hidden,
address@hidden) at Python/ceval.c:2679
#15 0x00007fb71b1703b1 in PyEval_EvalCodeEx
(address@hidden, globals=<optimized out>,
address@hidden, args=<optimized out>,
address@hidden, kws=0x28bc9e8, kwcount=0,
defs=0x7fb716881ee8, defcount=1, kwdefs=0x0, closure=0x0) at Python/ceval.c:3439
#16 0x00007fb71b16f3b9 in fast_function (nk=<optimized out>, na=1,
n=<optimized out>, pp_stack=0x7fff753b1a00, func=<optimized out>) at
Python/ceval.c:4167
#17 call_function (oparg=<optimized out>, pp_stack=0x7fff753b1a00) at
Python/ceval.c:4090
#18 PyEval_EvalFrameEx (address@hidden,
address@hidden) at Python/ceval.c:2679
#19 0x00007fb71b16f6af in fast_function (nk=<optimized out>, na=1,
n=1, pp_stack=0x7fff753b1b60, func=<optimized out>) at
Python/ceval.c:4157
#20 call_function (oparg=<optimized out>, pp_stack=0x7fff753b1b60) at
Python/ceval.c:4090
#21 PyEval_EvalFrameEx (address@hidden,
address@hidden) at Python/ceval.c:2679
#22 0x00007fb71b1703b1 in PyEval_EvalCodeEx (_co=0x7fb71856e5d0,
globals=<optimized out>, address@hidden,
address@hidden, argcount=1,
address@hidden,
address@hidden, address@hidden,
address@hidden, kwdefs=0x0, closure=0x0) at
Python/ceval.c:3439
#23 0x00007fb71b0e7353 in function_call (func=0x7fb717b818c0,
arg=0x7fb71a01ba50, kw=0x7fb71854ec68) at Objects/funcobject.c:633
#24 0x00007fb71b0c129c in PyObject_Call
(address@hidden, address@hidden,
address@hidden) at Objects/abstract.c:2035
#25 0x00007fb71b16b1bc in ext_do_call (nk=<optimized out>,
na=<optimized out>, flags=<optimized out>, pp_stack=0x7fff753b1e78,
func=0x7fb717b818c0) at Python/ceval.c:4384
#26 PyEval_EvalFrameEx (address@hidden,
address@hidden) at Python/ceval.c:2720
#27 0x00007fb71b1703b1 in PyEval_EvalCodeEx
(address@hidden, globals=<optimized out>,
address@hidden, args=<optimized out>,
address@hidden, kws=0x24e15a8, kwcount=0,
defs=0x7fb71855d4a8, defcount=1, kwdefs=0x0, closure=0x0) at Python/ceval.c:3439
#28 0x00007fb71b16f3b9 in fast_function (nk=<optimized out>, na=0,
n=<optimized out>, pp_stack=0x7fff753b2090, func=<optimized out>) at
Python/ceval.c:4167
#29 call_function (oparg=<optimized out>, pp_stack=0x7fff753b2090) at
Python/ceval.c:4090
#30 PyEval_EvalFrameEx (address@hidden,
address@hidden) at Python/ceval.c:2679
#31 0x00007fb71b1703b1 in PyEval_EvalCodeEx
(address@hidden, address@hidden,
address@hidden, address@hidden,
address@hidden,
address@hidden, address@hidden, address@hidden,
address@hidden, address@hidden,
address@hidden) at Python/ceval.c:3439
#32 0x00007fb71b17047b in PyEval_EvalCode (address@hidden,
address@hidden,
address@hidden) at Python/ceval.c:771
#33 0x00007fb71b189bd4 in run_mod (mod=<optimized out>,
address@hidden "/usr/bin/ipython",
address@hidden,
address@hidden,
address@hidden, address@hidden) at
Python/pythonrun.c:1996
#34 0x00007fb71b18b9a8 in PyRun_FileExFlags (address@hidden,
address@hidden "/usr/bin/ipython",
address@hidden, address@hidden,
address@hidden, address@hidden,
address@hidden) at Python/pythonrun.c:1952
#35 0x00007fb71b18c6d1 in PyRun_SimpleFileExFlags
(address@hidden, filename=<optimized out>,
address@hidden, address@hidden) at
Python/pythonrun.c:1452
#36 0x00007fb71b18d4e3 in PyRun_AnyFileExFlags (address@hidden,
filename=<optimized out>, address@hidden,
address@hidden) at Python/pythonrun.c:1174
#37 0x00007fb71b1a1138 in run_file (p_cf=0x7fff753b2350,
filename=0x246eff0 L"/usr/bin/ipython", fp=0x24e0ca0) at
Modules/main.c:307
#38 Py_Main (argc=<optimized out>, argv=<optimized out>) at Modules/main.c:744
#39 0x0000000000400b29 in main ()


Dump of assembler code for function _rl_dispatch_callback:
0x00007fb714b0e840 <+0>: push %rbp
0x00007fb714b0e841 <+1>: mov %rdi,%rbp
0x00007fb714b0e844 <+4>: push %rbx
0x00007fb714b0e845 <+5>: sub $0x8,%rsp
=> 0x00007fb714b0e849 <+9>: testb $0x1,(%rdi)
0x00007fb714b0e84c <+12>: je 0x7fb714b0e8c0 <_rl_dispatch_callback+128>
0x00007fb714b0e84e <+14>: mov 0x30(%rdi),%ebx
0x00007fb714b0e851 <+17>: cmp $0xfffffffd,%ebx
0x00007fb714b0e854 <+20>: je 0x7fb714b0e86c <_rl_dispatch_callback+44>
0x00007fb714b0e856 <+22>: mov 0x0(%rbp),%ecx
0x00007fb714b0e859 <+25>: mov 0x20(%rbp),%edx
0x00007fb714b0e85c <+28>: mov %ebx,%edi
0x00007fb714b0e85e <+30>: mov 0x18(%rbp),%rsi
0x00007fb714b0e862 <+34>: and $0x2,%ecx
0x00007fb714b0e865 <+37>: callq 0x7fb714b0e6b0 <_rl_subseq_result>
0x00007fb714b0e86a <+42>: mov %eax,%ebx
0x00007fb714b0e86c <+44>: mov 0x22a2e5(%rip),%rax # 0x7fb714d38b58
0x00007fb714b0e873 <+51>: mov (%rax),%edx
0x00007fb714b0e875 <+53>: test %edx,%edx
0x00007fb714b0e877 <+55>: jne 0x7fb714b0e8e8 <_rl_dispatch_callback+168>
0x00007fb714b0e879 <+57>: test %ebx,%ebx
0x00007fb714b0e87b <+59>: je 0x7fb714b0e8f3 <_rl_dispatch_callback+179>
0x00007fb714b0e87d <+61>: cmp $0xfffffffd,%ebx
0x00007fb714b0e880 <+64>: je 0x7fb714b0e910 <_rl_dispatch_callback+208>



(gdb) info register
rax 0x2c0006 2883590
rbx 0x7fb714d3f630 140424305178160
rcx 0x0 0
rdx 0x0 0
rsi 0x7fff753b0e78 140735160192632
rdi 0x0 0
rbp 0x0 0x0
rsp 0x7fff753b10b0 0x7fff753b10b0
r8 0x7fff753b0de0 140735160192480
r9 0x28c27b0 42739632
r10 0x8 8
r11 0x202 514
r12 0x7fb714d3f028 140424305176616
r13 0x0 0
r14 0x1 1
r15 0x7fb71b6d2690 140424415880848
rip 0x7fb714b0e849 0x7fb714b0e849 <_rl_dispatch_callback+9>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0


So rl_callback_read_char() passes NULL pointer (the _rl_kscxt
parameter) to _rl_dispatch_callback() and it is something the callback
does not expect.



Does this information ring a bell? What additional information do you need?