Skip to content

Segfault in _testinternalcapi.assemble_code_object with LOAD_CLOSURE #144163

New issue
New issue
Open
Open
Segfault in _testinternalcapi.assemble_code_object with LOAD_CLOSURE#144163
Labels
testsTests in the Lib/test dirtype-bugAn unexpected behavior, bug, or error
@YuanchengJiang

Description

@YuanchengJiang
YuanchengJiang
opened on Jan 22, 2026

Bug report

Bug description:

import _testinternalcapi

# The crash is triggered by the 'LOAD_CLOSURE' pseudo-instruction
# when passed to the internal code object assembler.
instructions = [
    ('RESUME', 0),
    ('LOAD_CLOSURE', 0),  # The trigger: oparg 0 refers to index in cellvars
    ('RETURN_VALUE', None)
]

# Metadata setup to support the instructions
metadata = {
    'filename': 'crash.py',
    'name': 'crash_test',
    'consts': {None: 0},
    'cellvars': {'x': 0},  # 'x' is at index 0
    'varnames': {'x': 0},  # 'x' is also defined as a local var
    'argcount': 1,
    'posonlyargcount': 0,
    'kwonlyargcount': 0
}

print("Attempting to assemble code object...")
# This call segfaults
_testinternalcapi.assemble_code_object('crash.py', instructions, metadata)
Attempting to assemble code object...
AddressSanitizer:DEADLYSIGNAL
=================================================================
==775815==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7309e1b4b3f9 bp 0x7fffa1d84300 sp 0x7fffa1d84240 T0)
==775815==The signal is caused by a READ memory access.
==775815==Hint: address points to the zero page.
    #0 0x7309e1b4b3f9 in PyType_HasFeature /home/fuzz/WorkSpace/FusionFuzzLoop/projects/cpython/cpython/build/../Include/object.h:824:19
    #1 0x7309e1b4b3f9 in _testinternalcapi_assemble_code_object_impl /home/fuzz/WorkSpace/FusionFuzzLoop/projects/cpython/cpython/build/../Modules/_testinternalcapi.c:840:5
    #2 0x7309e1b4b3f9 in _testinternalcapi_assemble_code_object /home/fuzz/WorkSpace/FusionFuzzLoop/projects/cpython/cpython/build/../Modules/clinic/_testinternalcapi.c.h:293:20
    #3 0x56088dcc075b in cfunction_vectorcall_FASTCALL_KEYWORDS /home/fuzz/WorkSpace/FusionFuzzLoop/projects/cpython/cpython/build/../Objects/methodobject.c:465:24
    #4 0x56088dba135f in _PyObject_VectorcallTstate /home/fuzz/WorkSpace/FusionFuzzLoop/projects/cpython/cpython/build/../Include/internal/pycore_call.h:136:11
    #5 0x56088df3451c in _Py_VectorCallInstrumentation_StackRefSteal /home/fuzz/WorkSpace/FusionFuzzLoop/projects/cpython/cpython/build/../Python/ceval.c:762:11
    #6 0x56088df70350 in _PyEval_EvalFrameDefault /home/fuzz/WorkSpace/FusionFuzzLoop/projects/cpython/cpython/build/../Python/generated_cases.c.h:1788:35
    #7 0x56088df333b7 in _PyEval_EvalFrame /home/fuzz/WorkSpace/FusionFuzzLoop/projects/cpython/cpython/build/../Include/internal/pycore_ceval.h:118:16
    #8 0x56088df333b7 in _PyEval_Vector /home/fuzz/WorkSpace/FusionFuzzLoop/projects/cpython/cpython/build/../Python/ceval.c:2094:12
    #9 0x56088df32dd4 in PyEval_EvalCode /home/fuzz/WorkSpace/FusionFuzzLoop/projects/cpython/cpython/build/../Python/ceval.c:673:21
    #10 0x56088e57d46e in run_eval_code_obj /home/fuzz/WorkSpace/FusionFuzzLoop/projects/cpython/cpython/build/../Python/pythonrun.c:1366:12
    #11 0x56088e57c63b in run_mod /home/fuzz/WorkSpace/FusionFuzzLoop/projects/cpython/cpython/build/../Python/pythonrun.c:1469:19
    #12 0x56088e576c3c in pyrun_file /home/fuzz/WorkSpace/FusionFuzzLoop/projects/cpython/cpython/build/../Python/pythonrun.c:1294:15
    #13 0x56088e57479c in _PyRun_SimpleFileObject /home/fuzz/WorkSpace/FusionFuzzLoop/projects/cpython/cpython/build/../Python/pythonrun.c:518:13
    #14 0x56088e573b0d in _PyRun_AnyFileObject /home/fuzz/WorkSpace/FusionFuzzLoop/projects/cpython/cpython/build/../Python/pythonrun.c:81:15
    #15 0x56088e5f03ba in pymain_run_file_obj /home/fuzz/WorkSpace/FusionFuzzLoop/projects/cpython/cpython/build/../Modules/main.c:410:15
    #16 0x56088e5f03ba in pymain_run_file /home/fuzz/WorkSpace/FusionFuzzLoop/projects/cpython/cpython/build/../Modules/main.c:429:15
    #17 0x56088e5ee483 in pymain_run_python /home/fuzz/WorkSpace/FusionFuzzLoop/projects/cpython/cpython/build/../Modules/main.c:691:21
    #18 0x56088e5ee483 in Py_RunMain /home/fuzz/WorkSpace/FusionFuzzLoop/projects/cpython/cpython/build/../Modules/main.c:772:5
    #19 0x56088e5ef386 in pymain_main /home/fuzz/WorkSpace/FusionFuzzLoop/projects/cpython/cpython/build/../Modules/main.c:802:12
    #20 0x56088e5ef4f7 in Py_BytesMain /home/fuzz/WorkSpace/FusionFuzzLoop/projects/cpython/cpython/build/../Modules/main.c:826:12
    #21 0x7709e2b02d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #22 0x7709e2b02e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #23 0x56088d8f74c4 in _start (/home/fuzz/WorkSpace/FusionFuzzLoop/projects/cpython/cpython/build/python+0x2e44c4) (BuildId: d529462274be082e41d89921c4fd912eb8eb1797)

==775815==Register values:
rax = 0x0000000000000008  rbx = 0x00007fffa1d84240  rcx = 0x0000000000000001  rdx = 0x00000ac111dad84d  
rdi = 0x00000000000000a8  rsi = 0x0000000000000000  rbp = 0x00007fffa1d84300  rsp = 0x00007fffa1d84240  
 r8 = 0x00000ee13c55b005   r9 = 0xffffffffffffffe8  r10 = 0x00000ac111dad838  r11 = 0x0000000000000001  
r12 = 0x00007309e0904d20  r13 = 0x00007389e1c90740  r14 = 0x00000e613c1209a0  r15 = 0x00007309e0904c28  
AddressSanitizer can not provide additional info.

Could be a low-priority bug.

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Metadata

Metadata

Assignees

No one assigned

    Labels

    testsTests in the Lib/test dirtype-bugAn unexpected behavior, bug, or error

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions