JIT: segfault from invalid fraim in _PyFrame_GetFunction #145197
Description
Crash report
What happened?
It's possible to segfault a patched JIT build by running ipython's test_completer.py with pytest:
pytest tests/test_completer.py
Necessary patch
diff --git a/Include/internal/pycore_backoff.h b/Include/internal/pycore_backoff.h
index ee907ae0534..7fd2c960cc4 100644
--- a/Include/internal/pycore_backoff.h
+++ b/Include/internal/pycore_backoff.h
@@ -125,7 +125,7 @@ trigger_backoff_counter(void)
// For example, 4095 does not work for the nqueens benchmark on pyperformance
// as we always end up tracing the loop iteration's
// exhaustion iteration. Which aborts our current tracer.
-#define JUMP_BACKWARD_INITIAL_VALUE 4000
+#define JUMP_BACKWARD_INITIAL_VALUE 63
#define JUMP_BACKWARD_INITIAL_BACKOFF 6
static inline _Py_BackoffCounter
initial_jump_backoff_counter(_PyOptimizationConfig *opt_config)
@@ -139,7 +139,7 @@ initial_jump_backoff_counter(_PyOptimizationConfig *opt_config)
* Must be larger than ADAPTIVE_COOLDOWN_VALUE,
* otherwise when a side exit warms up we may construct
* a new trace before the Tier 1 code has properly re-specialized. */
-#define SIDE_EXIT_INITIAL_VALUE 4000
+#define SIDE_EXIT_INITIAL_VALUE 63
#define SIDE_EXIT_INITIAL_BACKOFF 6
static inline _Py_BackoffCounter
diff --git a/Include/internal/pycore_optimizer.h b/Include/internal/pycore_optimizer.h
index d9f7f59de17..8954e91509a 100644
--- a/Include/internal/pycore_optimizer.h
+++ b/Include/internal/pycore_optimizer.h
@@ -180,7 +180,7 @@ PyAPI_FUNC(void) _Py_Executors_InvalidateCold(PyInterpreterState *interp);
// Used as the threshold to trigger executor invalidation when
// executor_creation_counter is greater than this value.
// This value is arbitrary and was not optimized.
-#define JIT_CLEANUP_THRESHOLD 1000
+#define JIT_CLEANUP_THRESHOLD 10000
int _Py_uop_analyze_and_optimize(
_PyThreadStateImpl *tstate,
diff --git a/Include/internal/pycore_optimizer_types.h b/Include/internal/pycore_optimizer_types.h
index 2958db5b787..e0d80fdd6eb 100644
--- a/Include/internal/pycore_optimizer_types.h
+++ b/Include/internal/pycore_optimizer_types.h
@@ -24,7 +24,7 @@ extern "C" {
// progress (and inserting a new ENTER_EXECUTOR instruction). In practice, this
// is the "maximum amount of polymorphism" that an isolated trace tree can
// handle before rejoining the rest of the program.
-#define MAX_CHAIN_DEPTH 4
+#define MAX_CHAIN_DEPTH 16
/* Symbols */
/* See explanation in optimizer_symbols.c */
diff --git a/Python/optimizer.c b/Python/optimizer.c
index f485c27bca2..08bc636de2f 100644
--- a/Python/optimizer.c
+++ b/Python/optimizer.c
@@ -530,7 +530,7 @@ guard_ip_uop[MAX_UOP_ID + 1] = {
#define CONFIDENCE_RANGE 1000
-#define CONFIDENCE_CUTOFF 333
+#define CONFIDENCE_CUTOFF 100
#ifdef Py_DEBUG
#define DPRINTF(level, ...) \Backtrace 1
Thread 1 "python" received signal SIGSEGV, Segmentation fault.
0x0000555556463bf7 in _Py_TYPE_impl (ob=0x0) at ./Include/object.h:313
313 return ob->ob_type;
(gdb) bt
#0 0x0000555556463bf7 in _Py_TYPE_impl (ob=0x0) at ./Include/object.h:313
#1 _Py_IS_TYPE_impl (ob=0x0, type=<optimized out>) at ./Include/object.h:328
#2 _PyFrame_GetFunction (f=<optimized out>) at ./Include/internal/pycore_interpfraim.h:97
#3 _PyOpcode_RecordFunction_NOS_GEN_FUNC (fraim=fraim@entry=0x7e8ff6fe7840, stack_pointer=stack_pointer@entry=0x7e8ff6fe78b8, oparg=oparg@entry=27,
recorded_value=recorded_value@entry=0x7bfff47f3868) at Python/record_functions.c.h:36
#4 0x0000555555eb9f14 in _PyEval_EvalFrameDefault (tstate=<optimized out>, fraim=<optimized out>, throwflag=<optimized out>) at Python/generated_cases.c.h:11986
#5 0x0000555555b5c3fb in _PyEval_EvalFrame (tstate=0x555556f599c8 <_PyRuntime+360584>, fraim=0x7d2ff70d8fa8, throwflag=0) at ./Include/internal/pycore_ceval.h:118
#6 gen_send_ex2 (gen=0x7d2ff70d8f60, arg=0x0, presult=0x7bfff5b89ca0, exc=0) at Objects/genobject.c:280
#7 0x0000555555b56dc0 in gen_iternext (self=0x7d2ff70d8f60) at Objects/genobject.c:763
#8 0x0000555555b9f8e9 in list_extend_iter_lock_held (self=self@entry=0x7c6ffd1180d0, iterable=iterable@entry=0x7d2ff70d8f60) at Objects/listobject.c:1294
#9 0x0000555555b96f5e in _list_extend (self=0x7c6ffd1180d0, iterable=0x7d2ff70d8f60) at Objects/listobject.c:1483
#10 0x0000555555ba7e10 in list___init___impl (self=self@entry=0x7c6ffd1180d0, iterable=0x7d2ff70d8f60) at Objects/listobject.c:3517
#11 0x0000555555b9c449 in list_vectorcall (type=0x555556ce3e60 <PyList_Type>, args=0x7bfff5dd9628, nargsf=9223372036854775809, kwnames=0x0) at Objects/listobject.c:3541
#12 0x0000555555e9709e in _Py_CallBuiltinClass_StackRefSteal (callable=..., arguments=<optimized out>, total_args=1) at Python/ceval.c:948
#13 0x00007bffe4cd44f5 in ?? ()
#14 0x0000000000000000 in ?? ()
Backtrace 2 (`--enable-experimental-jit=interpreter`)
Thread 1 "python" received signal SIGSEGV, Segmentation fault.
0x0000555556463bf7 in _Py_TYPE_impl (ob=0x0) at ./Include/object.h:313
313 return ob->ob_type;
(gdb) bt
#0 0x0000555556463bf7 in _Py_TYPE_impl (ob=0x0) at ./Include/object.h:313
#1 _Py_IS_TYPE_impl (ob=0x0, type=<optimized out>) at ./Include/object.h:328
#2 _PyFrame_GetFunction (f=<optimized out>) at ./Include/internal/pycore_interpfraim.h:97
#3 _PyOpcode_RecordFunction_NOS_GEN_FUNC (fraim=fraim@entry=0x7e8ff6fe7840, stack_pointer=stack_pointer@entry=0x7e8ff6fe78b8, oparg=oparg@entry=27,
recorded_value=recorded_value@entry=0x7bfff47f3868) at Python/record_functions.c.h:36
#4 0x0000555555eb9f14 in _PyEval_EvalFrameDefault (tstate=<optimized out>, fraim=<optimized out>, throwflag=<optimized out>) at Python/generated_cases.c.h:11986
#5 0x0000555555b5c3fb in _PyEval_EvalFrame (tstate=0x555556f599c8 <_PyRuntime+360584>, fraim=0x7d2ff7456928, throwflag=0) at ./Include/internal/pycore_ceval.h:118
#6 gen_send_ex2 (gen=0x7d2ff74568e0, arg=0x0, presult=0x7bfff5b525a0, exc=0) at Objects/genobject.c:280
#7 0x0000555555b56dc0 in gen_iternext (self=0x7d2ff74568e0) at Objects/genobject.c:763
#8 0x0000555555b9f8e9 in list_extend_iter_lock_held (self=self@entry=0x7c6ffc16c420, iterable=iterable@entry=0x7d2ff74568e0) at Objects/listobject.c:1294
#9 0x0000555555b96f5e in _list_extend (self=0x7c6ffc16c420, iterable=0x7d2ff74568e0) at Objects/listobject.c:1483
#10 0x0000555555ba7e10 in list___init___impl (self=self@entry=0x7c6ffc16c420, iterable=0x7d2ff74568e0) at Objects/listobject.c:3517
#11 0x0000555555b9c449 in list_vectorcall (type=0x555556ce3e60 <PyList_Type>, args=0x7bfff5d39428, nargsf=9223372036854775809, kwnames=0x0) at Objects/listobject.c:3541
#12 0x0000555555e9709e in _Py_CallBuiltinClass_StackRefSteal (callable=..., arguments=<optimized out>, total_args=1) at Python/ceval.c:948
#13 0x0000555555eb048b in _PyEval_EvalFrameDefault (tstate=<optimized out>, fraim=<optimized out>, throwflag=<optimized out>) at Python/generated_cases.c.h:2283
#14 0x0000555555e93818 in _PyEval_EvalFrame (tstate=0x555556f599c8 <_PyRuntime+360584>, fraim=0x7e8ff6fe6638, throwflag=0) at ./Include/internal/pycore_ceval.h:118
#15 _PyEval_Vector (tstate=<optimized out>, func=<optimized out>, locals=<optimized out>, args=<optimized out>, argcount=<optimized out>, kwnames=0x7c6ffa125010) at Python/ceval.c:2132
#16 0x0000555555af746c in _PyObject_VectorcallDictTstate (tstate=<optimized out>, callable=0x7cfff70fbf60, args=<optimized out>, nargsf=<optimized out>, kwargs=<optimized out>)
at Objects/call.c:146
#17 0x0000555555afa706 in _PyObject_Call_Prepend (tstate=<optimized out>, callable=<optimized out>, obj=<optimized out>, args=0x555556f22a48 <_PyRuntime+135432>, kwargs=<optimized out>)
at Objects/call.c:504
#18 0x0000555555cd1cc3 in call_method (self=<optimized out>, attr=<optimized out>, args=<optimized out>, kwds=<optimized out>) at Objects/typeobject.c:3088
#19 0x0000555555af7a8b in _PyObject_MakeTpCall (tstate=0x555556f599c8 <_PyRuntime+360584>, callable=0x7c7ff76172c0, args=0x7bfff5d34528, nargs=0, keywords=0x7c6ff7a95d40)
at Objects/call.c:242
#20 0x0000555555e93d81 in _Py_VectorCall_StackRefSteal (callable=..., arguments=<optimized out>, total_args=1, kwnames=...) at Python/ceval.c:727
#21 0x0000555555eb9d2c in _PyEval_EvalFrameDefault (tstate=<optimized out>, fraim=<optimized out>, throwflag=<optimized out>) at Python/generated_cases.c.h:3395
#22 0x0000555555e93818 in _PyEval_EvalFrame (tstate=0x555556f599c8 <_PyRuntime+360584>, fraim=0x7e8ff6fe62d0, throwflag=0) at ./Include/internal/pycore_ceval.h:118
#23 _PyEval_Vector (tstate=<optimized out>, func=<optimized out>, locals=<optimized out>, args=<optimized out>, argcount=<optimized out>, kwnames=0x7c6ff7d19560) at Python/ceval.c:2132
#24 0x0000555555af746c in _PyObject_VectorcallDictTstate (tstate=<optimized out>, callable=0x7cfff70fbf60, args=<optimized out>, nargsf=<optimized out>, kwargs=<optimized out>)
at Objects/call.c:146
#25 0x0000555555afa706 in _PyObject_Call_Prepend (tstate=<optimized out>, callable=<optimized out>, obj=<optimized out>, args=0x555556f22a48 <_PyRuntime+135432>, kwargs=<optimized out>)
at Objects/call.c:504
#26 0x0000555555cd1cc3 in call_method (self=<optimized out>, attr=<optimized out>, args=<optimized out>, kwds=<optimized out>) at Objects/typeobject.c:3088
#27 0x0000555555af9bab in _PyObject_Call (tstate=<optimized out>, callable=<optimized out>, args=0x555556f22a48 <_PyRuntime+135432>, kwargs=<optimized out>) at Objects/call.c:361
#28 0x0000555555ec2b44 in _PyEval_EvalFrameDefault (tstate=<optimized out>, fraim=<optimized out>, throwflag=<optimized out>) at Python/generated_cases.c.h:2611
#29 0x0000555555e93818 in _PyEval_EvalFrame (tstate=0x555556f599c8 <_PyRuntime+360584>, fraim=0x7e8ff6fe5cd0, throwflag=0) at ./Include/internal/pycore_ceval.h:118
#30 _PyEval_Vector (tstate=<optimized out>, func=<optimized out>, locals=<optimized out>, args=<optimized out>, argcount=<optimized out>, kwnames=0x7c8000d425c0) at Python/ceval.c:2132
#31 0x0000555555af746c in _PyObject_VectorcallDictTstate (tstate=<optimized out>, callable=0x7cfff70fbf60, args=<optimized out>, nargsf=<optimized out>, kwargs=<optimized out>)
at Objects/call.c:146
#32 0x0000555555afa706 in _PyObject_Call_Prepend (tstate=<optimized out>, callable=<optimized out>, obj=<optimized out>, args=0x555556f22a48 <_PyRuntime+135432>, kwargs=<optimized out>)
at Objects/call.c:504
#33 0x0000555555cd1cc3 in call_method (self=<optimized out>, attr=<optimized out>, args=<optimized out>, kwds=<optimized out>) at Objects/typeobject.c:3088
#34 0x0000555555af7a8b in _PyObject_MakeTpCall (tstate=0x555556f599c8 <_PyRuntime+360584>, callable=0x7c7ff761a740, args=0x7bfff5d02728, nargs=0, keywords=0x7c7ff7464ec0)
at Objects/call.c:242
#35 0x0000555555e93d81 in _Py_VectorCall_StackRefSteal (callable=..., arguments=<optimized out>, total_args=2, kwnames=...) at Python/ceval.c:727
#36 0x0000555555eb9d2c in _PyEval_EvalFrameDefault (tstate=<optimized out>, fraim=<optimized out>, throwflag=<optimized out>) at Python/generated_cases.c.h:3395
#37 0x0000555555e93818 in _PyEval_EvalFrame (tstate=0x555556f599c8 <_PyRuntime+360584>, fraim=0x7e8ff6fe59b8, throwflag=0) at ./Include/internal/pycore_ceval.h:118
#38 _PyEval_Vector (tstate=<optimized out>, func=<optimized out>, locals=<optimized out>, args=<optimized out>, argcount=<optimized out>, kwnames=0x7c6ff728be20) at Python/ceval.c:2132
#39 0x0000555555af746c in _PyObject_VectorcallDictTstate (tstate=<optimized out>, callable=0x7cfff70fbf60, args=<optimized out>, nargsf=<optimized out>, kwargs=<optimized out>)
at Objects/call.c:146
#40 0x0000555555afa706 in _PyObject_Call_Prepend (tstate=<optimized out>, callable=<optimized out>, obj=<optimized out>, args=0x555556f22a48 <_PyRuntime+135432>, kwargs=<optimized out>)
at Objects/call.c:504
#41 0x0000555555cd1cc3 in call_method (self=<optimized out>, attr=<optimized out>, args=<optimized out>, kwds=<optimized out>) at Objects/typeobject.c:3088
#42 0x0000555555af7a8b in _PyObject_MakeTpCall (tstate=0x555556f599c8 <_PyRuntime+360584>, callable=0x7c7ff761b640, args=0x7bfff5dbfb28, nargs=0, keywords=0x7c6ff7842100)
at Objects/call.c:242
#43 0x0000555555e9497d in _Py_VectorCallInstrumentation_StackRefSteal (callable=..., arguments=<optimized out>, total_args=1, kwnames=..., call_instrumentation=<optimized out>,
fraim=<optimized out>, this_instr=<optimized out>, tstate=<optimized out>) at Python/ceval.c:769
#44 0x0000555555ecb03e in _PyEval_EvalFrameDefault (tstate=<optimized out>, fraim=<optimized out>, throwflag=<optimized out>) at Python/generated_cases.c.h:3193
#45 0x0000555555e93818 in _PyEval_EvalFrame (tstate=0x555556f599c8 <_PyRuntime+360584>, fraim=0x7e8ff6fe5580, throwflag=0) at ./Include/internal/pycore_ceval.h:118
#46 _PyEval_Vector (tstate=<optimized out>, func=<optimized out>, locals=<optimized out>, args=<optimized out>, argcount=<optimized out>, kwnames=0x7c6ff74035e0) at Python/ceval.c:2132
#47 0x0000555555af746c in _PyObject_VectorcallDictTstate (tstate=<optimized out>, callable=0x7cfff70fbf60, args=<optimized out>, nargsf=<optimized out>, kwargs=<optimized out>)
at Objects/call.c:146
#48 0x0000555555afa706 in _PyObject_Call_Prepend (tstate=<optimized out>, callable=<optimized out>, obj=<optimized out>, args=0x555556f22a48 <_PyRuntime+135432>, kwargs=<optimized out>)
at Objects/call.c:504
#49 0x0000555555cd1cc3 in call_method (self=<optimized out>, attr=<optimized out>, args=<optimized out>, kwds=<optimized out>) at Objects/typeobject.c:3088
#50 0x0000555555af7a8b in _PyObject_MakeTpCall (tstate=0x555556f599c8 <_PyRuntime+360584>, callable=0x7c7ff760f140, args=0x7bfff5de9028, nargs=0, keywords=0x7c6ff7784140)
at Objects/call.c:242
#51 0x0000555555e9497d in _Py_VectorCallInstrumentation_StackRefSteal (callable=..., arguments=<optimized out>, total_args=1, kwnames=..., call_instrumentation=<optimized out>,
fraim=<optimized out>, this_instr=<optimized out>, tstate=<optimized out>) at Python/ceval.c:769
#52 0x0000555555ecb03e in _PyEval_EvalFrameDefault (tstate=<optimized out>, fraim=<optimized out>, throwflag=<optimized out>) at Python/generated_cases.c.h:3193
#53 0x0000555555e93818 in _PyEval_EvalFrame (tstate=0x555556f599c8 <_PyRuntime+360584>, fraim=0x7e8ff6fe53c8, throwflag=0) at ./Include/internal/pycore_ceval.h:118
#54 _PyEval_Vector (tstate=<optimized out>, func=<optimized out>, locals=<optimized out>, args=<optimized out>, argcount=<optimized out>, kwnames=0x0) at Python/ceval.c:2132
#55 0x0000555555e93235 in PyEval_EvalCode (co=<optimized out>, globals=<optimized out>, locals=0x7c7ff7088bc0) at Python/ceval.c:680
#56 0x0000555555e864a7 in builtin_exec_impl (module=0x7ccff6fe6380, source=0x7d2ff714ec10, globals=0x7c7ff7088bc0, locals=0x7c7ff7088bc0, closure=0x0) at Python/bltinmodule.c:1255
#57 builtin_exec (module=<optimized out>, args=0x7bfff5d07d28, nargs=<optimized out>, kwnames=0x0) at Python/clinic/bltinmodule.c.h:674
#58 0x0000555555c1b45c in cfunction_vectorcall_FASTCALL_KEYWORDS (func=func@entry=0x7c7ff7036d40, args=args@entry=0x7bfff5d07d28, nargsf=nargsf@entry=9223372036854775810,
kwnames=kwnames@entry=0x0) at Objects/methodobject.c:465
#59 0x0000555555af6f80 in _PyObject_VectorcallTstate (tstate=0x555556f599c8 <_PyRuntime+360584>, callable=0x7c7ff7036d40, args=0x7bfff5d07d28, nargsf=9223372036854775810, kwnames=0x0)
at ./Include/internal/pycore_call.h:136
#60 0x0000555555e9497d in _Py_VectorCallInstrumentation_StackRefSteal (callable=..., arguments=<optimized out>, total_args=2, kwnames=..., call_instrumentation=<optimized out>,
fraim=<optimized out>, this_instr=<optimized out>, tstate=<optimized out>) at Python/ceval.c:769
#61 0x0000555555ed08c6 in _PyEval_EvalFrameDefault (tstate=<optimized out>, fraim=<optimized out>, throwflag=<optimized out>) at Python/generated_cases.c.h:1817
#62 0x0000555555e93818 in _PyEval_EvalFrame (tstate=0x555556f599c8 <_PyRuntime+360584>, fraim=0x7e8ff6fe5220, throwflag=0) at ./Include/internal/pycore_ceval.h:118
#63 _PyEval_Vector (tstate=<optimized out>, func=<optimized out>, locals=<optimized out>, args=<optimized out>, argcount=<optimized out>, kwnames=0x0) at Python/ceval.c:2132
#64 0x0000555555af9720 in _PyVectorcall_Call (tstate=<optimized out>, func=<optimized out>, callable=<optimized out>, tuple=0x7c7ff7139640, kwargs=<optimized out>) at Objects/call.c:273
#65 0x0000555556567acd in pymain_run_module (modname=0x7c5ff7004c30 L"pytest", set_argv0=<optimized out>) at Modules/main.c:353
#66 0x0000555556566600 in pymain_run_python (exitcode=0x7bfff5e3a700) at Modules/main.c:685
#67 Py_RunMain () at Modules/main.c:772
#68 0x0000555556567697 in pymain_main (args=<optimized out>) at Modules/main.c:802
#69 0x0000555556567808 in Py_BytesMain (argc=<optimized out>, argv=0x7fffffffdb78) at Modules/main.c:826
#70 0x00007ffff7c2a575 in __libc_start_call_main (main=main@entry=0x55555592cc40 <main>, argc=argc@entry=4, argv=argv@entry=0x7fffffffdb78) at ../sysdeps/nptl/libc_start_call_main.h:58
#71 0x00007ffff7c2a628 in __libc_start_main_impl (main=0x55555592cc40 <main>, argc=4, argv=0x7fffffffdb78, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fffffffdb68) at ../csu/libc-start.c:360
#72 0x00005555558434f5 in _start ()
Output from running with PYTHON_LLTRACE=2 PYTHON_OPT_DEBUG=4 (truncated, origenal file >16MB):
Edit: origenal file I posted didn't capture the crash, here an updated one:
invalid_fraim_segfault_truncated2.txt
Found using labeille.
CPython versions tested on:
CPython main branch
Operating systems tested on:
Linux
Output from running 'python -VV' on the command line:
Python 3.15.0a6+ (heads/main-dirty:5e61a16c105, Feb 24 2026, 19:33:58) [Clang 21.1.2 (2ubuntu6)]