Closed
Description
I'm playing around with adding a TSAN CI job and updating the ASAN CI job to use a Python compiled with ASAN.
The latter triggered up a new error I've never seen before:
numpy/_core/tests/test_umath.py::test_outer_bad_subclass PASSED
numpy/_core/tests/test_umath.py::test_outer_exceeds_maxdims PASSED
=================================================================
==22221==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080095c7060 at pc 0x00010ac4ce10 bp 0x00016f3a5c90 sp 0x00016f3a5c88
READ of size 4 at 0x6080095c7060 thread T0
#0 0x00010ac4ce0c in ufunc_at ufunc_object.c:5957
#1 0x000101cb92dc in method_vectorcall_VARARGS descrobject.c:324
#2 0x000101c9d2ac in PyObject_Vectorcall call.c:327
#3 0x000101f75fd0 in _PyEval_EvalFrameDefault generated_cases.c.h:813
#4 0x000101c9bc84 in _PyObject_VectorcallDictTstate call.c:146
#5 0x000101c9e1a8 in _PyObject_Call_Prepend call.c:504
#6 0x000101de21ec in slot_tp_call typeobject.c:9539
#7 0x000101c9c0e0 in _PyObject_MakeTpCall call.c:242
#8 0x000101f7adfc in _PyEval_EvalFrameDefault generated_cases.c.h:1502
#9 0x000101c9bc84 in _PyObject_VectorcallDictTstate call.c:146
#10 0x000101c9e1a8 in _PyObject_Call_Prepend call.c:504
#11 0x000101de21ec in slot_tp_call typeobject.c:9539
#12 0x000101c9d584 in _PyObject_Call call.c:361
#13 0x000101f7a010 in _PyEval_EvalFrameDefault generated_cases.c.h:1355
#14 0x000101c9bc84 in _PyObject_VectorcallDictTstate call.c:146
#15 0x000101c9e1a8 in _PyObject_Call_Prepend call.c:504
#16 0x000101de21ec in slot_tp_call typeobject.c:9539
#17 0x000101c9c0e0 in _PyObject_MakeTpCall call.c:242
#18 0x000101f7adfc in _PyEval_EvalFrameDefault generated_cases.c.h:1502
#19 0x000101c9bc84 in _PyObject_VectorcallDictTstate call.c:146
#20 0x000101c9e1a8 in _PyObject_Call_Prepend call.c:504
#21 0x000101de21ec in slot_tp_call typeobject.c:9539
#22 0x000101c9c0e0 in _PyObject_MakeTpCall call.c:242
#23 0x000101f7adfc in _PyEval_EvalFrameDefault generated_cases.c.h:1502
#24 0x000101c9bc84 in _PyObject_VectorcallDictTstate call.c:146
#25 0x000101c9e1a8 in _PyObject_Call_Prepend call.c:504
#26 0x000101de21ec in slot_tp_call typeobject.c:9539
#27 0x000101c9c0e0 in _PyObject_MakeTpCall call.c:242
#28 0x000101f7adfc in _PyEval_EvalFrameDefault generated_cases.c.h:1502
#29 0x000101f6911c in PyEval_EvalCode ceval.c:602
#30 0x000101f62590 in builtin_exec bltinmodule.c.h:556
#31 0x000101d646b8 in cfunction_vectorcall_FASTCALL_KEYWORDS methodobject.c:441
#32 0x000101c9d2ac in PyObject_Vectorcall call.c:327
#33 0x000101f75fd0 in _PyEval_EvalFrameDefault generated_cases.c.h:813
#34 0x0001020c4e6c in pymain_run_module main.c:349
#35 0x0001020c3e60 in Py_RunMain main.c:776
#36 0x0001020c4958 in pymain_main main.c:806
#37 0x0001020c4c58 in Py_BytesMain main.c:830
#38 0x00018b4cb150 (<unknown module>)
#39 0xa64cfffffffffffc (<unknown module>)
0x6080095c7060 is located 64 bytes inside of 96-byte region [0x6080095c7020,0x6080095c7080)
freed by thread T0 here:
#0 0x00010296b35c in free+0x74 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x5335c)
#1 0x00010aacba34 in arraymapiter_dealloc mapping.c:3403
#2 0x00010ac4cc9c in ufunc_at ufunc_object.c:5944
#3 0x000101cb92dc in method_vectorcall_VARARGS descrobject.c:324
#4 0x000101c9d2ac in PyObject_Vectorcall call.c:327
#5 0x000101f75fd0 in _PyEval_EvalFrameDefault generated_cases.c.h:813
#6 0x000101c9bc84 in _PyObject_VectorcallDictTstate call.c:146
#7 0x000101c9e1a8 in _PyObject_Call_Prepend call.c:504
#8 0x000101de21ec in slot_tp_call typeobject.c:9539
#9 0x000101c9c0e0 in _PyObject_MakeTpCall call.c:242
#10 0x000101f7adfc in _PyEval_EvalFrameDefault generated_cases.c.h:1502
#11 0x000101c9bc84 in _PyObject_VectorcallDictTstate call.c:146
#12 0x000101c9e1a8 in _PyObject_Call_Prepend call.c:504
#13 0x000101de21ec in slot_tp_call typeobject.c:9539
#14 0x000101c9d584 in _PyObject_Call call.c:361
#15 0x000101f7a010 in _PyEval_EvalFrameDefault generated_cases.c.h:1355
#16 0x000101c9bc84 in _PyObject_VectorcallDictTstate call.c:146
#17 0x000101c9e1a8 in _PyObject_Call_Prepend call.c:504
#18 0x000101de21ec in slot_tp_call typeobject.c:9539
#19 0x000101c9c0e0 in _PyObject_MakeTpCall call.c:242
#20 0x000101f7adfc in _PyEval_EvalFrameDefault generated_cases.c.h:1502
#21 0x000101c9bc84 in _PyObject_VectorcallDictTstate call.c:146
#22 0x000101c9e1a8 in _PyObject_Call_Prepend call.c:504
#23 0x000101de21ec in slot_tp_call typeobject.c:9539
#24 0x000101c9c0e0 in _PyObject_MakeTpCall call.c:242
#25 0x000101f7adfc in _PyEval_EvalFrameDefault generated_cases.c.h:1502
#26 0x000101c9bc84 in _PyObject_VectorcallDictTstate call.c:146
#27 0x000101c9e1a8 in _PyObject_Call_Prepend call.c:504
#28 0x000101de21ec in slot_tp_call typeobject.c:9539
#29 0x000101c9c0e0 in _PyObject_MakeTpCall call.c:242
previously allocated by thread T0 here:
#0 0x00010296b270 in malloc+0x70 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x53270)
#1 0x000101dca970 in _PyType_AllocNoTrack typeobject.c:2043
#2 0x000101dca754 in PyType_GenericAlloc typeobject.c:2072
#3 0x00010aa34770 in PyArray_NewFromDescr_int ctors.c:723
#4 0x00010aa361ec in PyArray_NewLikeArrayWithShape ctors.c:1096
#5 0x00010aacb584 in PyArray_MapIterArrayCopyIfOverlap mapping.c:3326
#6 0x00010ac4c738 in ufunc_at ufunc_object.c:5839
#7 0x000101cb92dc in method_vectorcall_VARARGS descrobject.c:324
#8 0x000101c9d2ac in PyObject_Vectorcall call.c:327
#9 0x000101f75fd0 in _PyEval_EvalFrameDefault generated_cases.c.h:813
#10 0x000101c9bc84 in _PyObject_VectorcallDictTstate call.c:146
#11 0x000101c9e1a8 in _PyObject_Call_Prepend call.c:504
#12 0x000101de21ec in slot_tp_call typeobject.c:9539
#13 0x000101c9c0e0 in _PyObject_MakeTpCall call.c:242
#14 0x000101f7adfc in _PyEval_EvalFrameDefault generated_cases.c.h:1502
#15 0x000101c9bc84 in _PyObject_VectorcallDictTstate call.c:146
#16 0x000101c9e1a8 in _PyObject_Call_Prepend call.c:504
#17 0x000101de21ec in slot_tp_call typeobject.c:9539
#18 0x000101c9d584 in _PyObject_Call call.c:361
#19 0x000101f7a010 in _PyEval_EvalFrameDefault generated_cases.c.h:1355
#20 0x000101c9bc84 in _PyObject_VectorcallDictTstate call.c:146
#21 0x000101c9e1a8 in _PyObject_Call_Prepend call.c:504
#22 0x000101de21ec in slot_tp_call typeobject.c:9539
#23 0x000101c9c0e0 in _PyObject_MakeTpCall call.c:242
#24 0x000101f7adfc in _PyEval_EvalFrameDefault generated_cases.c.h:1502
#25 0x000101c9bc84 in _PyObject_VectorcallDictTstate call.c:146
#26 0x000101c9e1a8 in _PyObject_Call_Prepend call.c:504
#27 0x000101de21ec in slot_tp_call typeobject.c:9539
#28 0x000101c9c0e0 in _PyObject_MakeTpCall call.c:242
#29 0x000101f7adfc in _PyEval_EvalFrameDefault generated_cases.c.h:1502
SUMMARY: AddressSanitizer: heap-use-after-free ufunc_object.c:5957 in ufunc_at
Shadow bytes around the buggy address:
0x6080095c6d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x6080095c6e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x6080095c6e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x6080095c6f00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x6080095c6f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x6080095c7000: fa fa fa fa fd fd fd fd fd fd fd fd[fd]fd fd fd
0x6080095c7080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x6080095c7100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x6080095c7180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x6080095c7200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x6080095c7280: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==22221==ABORTING
Fatal Python error: Aborted
Current thread 0x00000001f36acf80 (most recent call first):
File "/Users/runner/work/numpy/numpy/build-install/usr/lib/python3.13/site-packages/numpy/_core/tests/test_umath.py", line 4851 in test_bad_legacy_ufunc_silent_errors
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/_pytest/python.py", line 194 in pytest_pyfunc_call
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/pluggy/_callers.py", line 103 in _multicall
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/pluggy/_manager.py", line 120 in _hookexec
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/pluggy/_hooks.py", line 513 in __call__
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/_pytest/python.py", line 1788 in runtest
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/_pytest/runner.py", line 169 in pytest_runtest_call
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/pluggy/_callers.py", line 103 in _multicall
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/pluggy/_manager.py", line 120 in _hookexec
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/pluggy/_hooks.py", line 513 in __call__
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/_pytest/runner.py", line 262 in <lambda>
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/_pytest/runner.py", line 341 in from_call
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/_pytest/runner.py", line 261 in call_runtest_hook
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/_pytest/runner.py", line 222 in call_and_report
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/_pytest/runner.py", line 133 in runtestprotocol
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/_pytest/runner.py", line 114 in pytest_runtest_protocol
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/pluggy/_callers.py", line 103 in _multicall
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/pluggy/_manager.py", line 120 in _hookexec
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/pluggy/_hooks.py", line 513 in __call__
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/_pytest/main.py", line 349 in pytest_runtestloop
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/pluggy/_callers.py", line 103 in _multicall
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/pluggy/_manager.py", line 120 in _hookexec
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/pluggy/_hooks.py", line 513 in __call__
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/_pytest/main.py", line 324 in _main
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/_pytest/main.py", line 270 in wrap_session
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/_pytest/main.py", line 317 in pytest_cmdline_main
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/pluggy/_callers.py", line 103 in _multicall
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/pluggy/_manager.py", line 120 in _hookexec
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/pluggy/_hooks.py", line 513 in __call__
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/_pytest/config/__init__.py", line 166 in main
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/_pytest/config/__init__.py", line 189 in console_main
File "/Users/runner/.pyenv/versions/3.13-dev/lib/python3.13/site-packages/pytest/__main__.py", line 5 in <module>
File "<frozen runpy>", line 88 in _run_code
File "<frozen runpy>", line 198 in _run_module_as_main
Extension modules: numpy._core._multiarray_umath, numpy.linalg._umath_linalg, numpy._core._multiarray_tests, numpy._core._rational_tests, numpy._core._umath_tests, cython.cimports.libc.math, numpy.random._common, numpy.random.bit_generator, numpy.random._bounded_integers, numpy.random._mt19937, numpy.random.mtrand, numpy.random._philox, numpy.random._pcg64, numpy.random._sfc64, numpy.random._generator, numpy._core._struct_ufunc_tests, numpy._core._simd, numpy._core._operand_flag_tests, charset_normalizer.md, numpy.linalg.lapack_lite, mypy, mypy.defaults, mypy.errorcodes, mypy.util, mypy.options, mypy.visitor, mypy.strconv, mypy.nodes, mypy.state, mypy.type_visitor, mypy.typetraverser, mypy.typevartuples, mypy.expandtype, mypy.types, mypy.lookup, mypy.message_registry, mypy.copytype, mypy.maptype, mypy.erasetype, mypy.typevars, mypy.typeops, mypy.error_formatter, mypy.scope, mypy.errors, mypy.operators, mypy.applytype, mypy.argmap, mypy.types_utils, mypy.server, mypy.server.trigger, mypy.typestate, mypy.constraints, mypy.subtypes, mypy.messages, mypy.tvar_scope, mypy.plugin, mypy.join, mypy.meet, mypy.checkmember, mypy.parse, mypy.checkstrformat, mypy.graph_utils, mypy.solve, mypy.infer, mypy.literals, mypy.semanal_shared, mypy.semanal_enum, mypy.patterns, mypy.traverser, mypy.typeanal, mypy.checkexpr, mypy.binder, mypy.checkpattern, mypy.mro, mypy.plugins, mypy.fixup, mypy.plugins.common, mypy.plugins.dataclasses, mypy.constant_fold, mypy.reachability, mypy.sharedparse, mypy.fastparse, mypy.exprtotype, mypy.semanal_namedtuple, mypy.semanal_newtype, mypy.semanal_typeddict, mypy.semanal, mypy.treetransform, mypy.checker, mypy.semanal_classprop, mypy.semanal_infer, mypy.mixedtraverser, mypy.semanal_typeargs, mypy.server.aststrip, mypy.semanal_main, mypy.indirection, mypy.partially_defined, mypy.semanal_pass1, mypy.config_parser, mypy.freetree, mypy.fscache, mypy.metastore, mypy.stubinfo, mypy.modulefinder, mypy.plugins.default, mypy.renaming, mypy.stats, mypy.build, mypy.api, checks, limited_api2, mem_policy, _testbuffer (total: 113)
numpy/_core/tests/test_umath.py::test_bad_legacy_ufunc_silent_errors
Metadata
Metadata
Assignees
Labels
No labels