Segfault when dealing with references to objects with multiple base classes / virtual inheritance #4303

franzpoeschel · 2022-11-01T09:48:34Z

franzpoeschel
Nov 1, 2022

Hey together,

~~MY REPRODUCER HAS A BUG, I WILL TRY TO FIX IT~~ Update: See comment below, the bug pointed me to the issue behind my original problem

I'm currently experiencing trouble with segfaults in Pybind11 and I think that I have traced the issue back to a Python-binded function that returns a reference to an object in a container, where the object has virtual inheritance in its class hierarchy. Destroying such a handle in Python is only possible as long as the original object still exists.

The error is reproducible on recent dev versions of Pybind11 (I've used fcb5554), so I think this is unrelated to similar older issues with multiple inheritance that are already fixed.

This example reproduces the issue:

cmake_minimum_required(VERSION 3.12.0)

project(pybind11_test)
find_package(pybind11 2.9.1 REQUIRED)

pybind11_add_module(virtual_inheritance virtual_inheritance.cpp)

#include <pybind11/pybind11.h>

#include <iostream>

namespace py = pybind11;

struct A
{
    int a = 0;
};

struct B0 : public virtual A
{
    int b0 = 1;
};
struct B1 : public virtual A
{
    int b1 = 2;
};

struct C
    : public B0
    , public B1
{
    int c = 3;
    C()
    {}
};

/*
 * A single value of C does not trigger a segfault on my machine, 
 * so we fill a vector until it goes wrong.
 */
class C_Container
{
    // Bug in reproducer: Need to initialize the vector to the right amount
    // in order to avoid invalidating the returned references
    std::vector<C> vec; // = std::vector<C>(10000);

public:
    C &reference()
    {
        auto & ref = vec.emplace_back();
        return ref;
    }
};

PYBIND11_MODULE(virtual_inheritance, m)
{

    py::class_<A>(m, "A").def_readwrite("a", &A::a);
    py::class_<B0, A>(m, "B0", py::multiple_inheritance())
        .def_readwrite("b0", &B0::b0);
    py::class_<B1, A>(m, "B1", py::multiple_inheritance())
        .def_readwrite("b1", &B1::b1);
    py::class_<C, B0, B1>(m, "C").def_readwrite("c", &C::c);
    py::class_<C_Container>(m, "C_Container")
        .def(py::init<>())
        .def(
            "reference",
            [](C_Container &cont) -> C & { return cont.reference(); },
            py::return_value_policy::reference_internal);
}

#!/usr/bin/env python3

import build.virtual_inheritance as vi

def main():
    cont = vi.C_Container()
    for i in range(10000):
        print("Iteration", i)
        ref = cont.reference()
        print(ref.a)
        print(ref.b0)
        print(ref.b1)
        print(ref.c)

main()

On my machine, the segfault triggers at iteration 2048, so I suppose that the boundary of memory paging is necessary to trigger it. The backtrace of the segfault is:

(gdb) backtrace
#0  0x00007f025b8dff25 in pybind11::class_<B0, A>::add_base<A, 0>(pybind11::detail::type_record&)::{lambda(void*)#1}::operator()(void*) const (src=0x12a1f08, __closure=0x0)
    at /nix/store/27mjxdkm8v15pygz8ikvx05lbirxm05x-pybind11-fcb5554d9fdd4ad3150bf12cb8be04099cb4976e/include/pybind11/pybind11.h:1548
#1  pybind11::class_<B0, A>::add_base<A, 0>(pybind11::detail::type_record&)::{lambda(void*)#1}::_FUN(void*) () at /nix/store/27mjxdkm8v15pygz8ikvx05lbirxm05x-pybind11-fcb5554d9fdd4ad3150bf12cb8be04099cb4976e/include/pybind11/pybind11.h:1548
#2  0x00007f025b8f38d4 in pybind11::detail::traverse_offset_bases (f=0x7f025b8e8d10 <pybind11::detail::deregister_instance_impl(void*, pybind11::detail::instance*)>, self=0x7f025b4f0570, tinfo=0x1185960, valueptr=0x12a1f08)
    at /nix/store/27mjxdkm8v15pygz8ikvx05lbirxm05x-pybind11-fcb5554d9fdd4ad3150bf12cb8be04099cb4976e/include/pybind11/detail/class.h:303
#3  pybind11::detail::traverse_offset_bases (f=0x7f025b8e8d10 <pybind11::detail::deregister_instance_impl(void*, pybind11::detail::instance*)>, self=0x7f025b4f0570, tinfo=0x121f500, valueptr=0x12a1f08)
    at /nix/store/27mjxdkm8v15pygz8ikvx05lbirxm05x-pybind11-fcb5554d9fdd4ad3150bf12cb8be04099cb4976e/include/pybind11/detail/class.h:307
#4  pybind11::detail::deregister_instance (tinfo=0x121f500, valptr=0x12a1f08, self=0x7f025b4f0570) at /nix/store/27mjxdkm8v15pygz8ikvx05lbirxm05x-pybind11-fcb5554d9fdd4ad3150bf12cb8be04099cb4976e/include/pybind11/detail/class.h:341
#5  pybind11::detail::clear_instance (self=0x7f025b4f0570) at /nix/store/27mjxdkm8v15pygz8ikvx05lbirxm05x-pybind11-fcb5554d9fdd4ad3150bf12cb8be04099cb4976e/include/pybind11/detail/class.h:418
#6  0x00007f025b8f409f in pybind11::detail::pybind11_object_dealloc (self=0x7f025b4f0570) at /nix/store/27mjxdkm8v15pygz8ikvx05lbirxm05x-pybind11-fcb5554d9fdd4ad3150bf12cb8be04099cb4976e/include/pybind11/detail/class.h:448
#7  0x00007f025ba6e30f in _PyEval_EvalFrameDefault () from /nix/store/sz0j8k8ljh7y8qgyfxgqb3ws11bcy4gs-python3-3.10.6/lib/libpython3.10.so.1.0
#8  0x00007f025bbea3bf in _PyEval_Vector () from /nix/store/sz0j8k8ljh7y8qgyfxgqb3ws11bcy4gs-python3-3.10.6/lib/libpython3.10.so.1.0
#9  0x00007f025ba6d49c in _PyEval_EvalFrameDefault () from /nix/store/sz0j8k8ljh7y8qgyfxgqb3ws11bcy4gs-python3-3.10.6/lib/libpython3.10.so.1.0
#10 0x00007f025bbea3bf in _PyEval_Vector () from /nix/store/sz0j8k8ljh7y8qgyfxgqb3ws11bcy4gs-python3-3.10.6/lib/libpython3.10.so.1.0
#11 0x00007f025bbeaa28 in PyEval_EvalCode () from /nix/store/sz0j8k8ljh7y8qgyfxgqb3ws11bcy4gs-python3-3.10.6/lib/libpython3.10.so.1.0
#12 0x00007f025bc6f28d in run_mod () from /nix/store/sz0j8k8ljh7y8qgyfxgqb3ws11bcy4gs-python3-3.10.6/lib/libpython3.10.so.1.0
#13 0x00007f025bc7bc42 in _PyRun_SimpleFileObject () from /nix/store/sz0j8k8ljh7y8qgyfxgqb3ws11bcy4gs-python3-3.10.6/lib/libpython3.10.so.1.0
#14 0x00007f025bc7c21b in _PyRun_AnyFileObject () from /nix/store/sz0j8k8ljh7y8qgyfxgqb3ws11bcy4gs-python3-3.10.6/lib/libpython3.10.so.1.0
#15 0x00007f025bc803df in Py_RunMain () from /nix/store/sz0j8k8ljh7y8qgyfxgqb3ws11bcy4gs-python3-3.10.6/lib/libpython3.10.so.1.0
#16 0x00007f025bc80db5 in Py_BytesMain () from /nix/store/sz0j8k8ljh7y8qgyfxgqb3ws11bcy4gs-python3-3.10.6/lib/libpython3.10.so.1.0
#17 0x00007f025b62924e in __libc_start_call_main () from /nix/store/bzd91shky9j9d43girrrj6vmqlw7x9m8-glibc-2.35-163/lib/libc.so.6
#18 0x00007f025b629309 in __libc_start_main_impl () from /nix/store/bzd91shky9j9d43girrrj6vmqlw7x9m8-glibc-2.35-163/lib/libc.so.6
#19 0x0000000000401075 in _start ()

And the troublesome line in the code is inside pybind11.h, the segfault seems to be triggered by the static_cast:

1546│     template <typename Base, detail::enable_if_t<is_base<Base>::value, int> = 0>
1547│     static void add_base(detail::type_record &rec) {
1548│         rec.add_base(typeid(Base), [](void *src) -> void * {
1549│             return static_cast<Base *>(reinterpret_cast<type *>(src));
1550│         });
1551│     }

Alternatively, the following Python script makes the error trigger after iteration 9999 (with the same backtrace):

#!/usr/bin/env python3

import build.virtual_inheritance as vi

def main():
    cont = vi.C_Container()
    reflist = []
    for i in range(10000):
        print("Iteration", i)
        reflist.append(cont.reference())
        print(reflist[-1].a)
        print(reflist[-1].b0)
        print(reflist[-1].b1)
        print(reflist[-1].c)

main()

For this one, I have an idea what might be the problem:

The deregister_instance call happens after the original data in C_Container::vec has been destroyed (does it though??)
The traverse_offset_bases logic is written for objects that still exist on the C++ side, since it uses the pointer to the original object
static_casting the pointer to the base class inside add_base causes undefined behavior since the original object ceased to exist

This does unfortunately not explain the segfault of the first Python script.
But it might point a problem that the traverse_offset_bases logic only works under the assumption that the object itself still exists, even though the handle is only a reference.

Using return_value_policy::copy makes things work without issue.

Answered by franzpoeschel

Nov 2, 2022

Actually, the bug in the reproducer pointed me to the issue in my original use case.
Having a Python reference / reference_internal to a C++ object that no longer exists is undefined behavior in Pybind11. For this, the reference needs not even be used, as the deregistering routines of Pybind11 for objects with multiple inheritance assume that the object still exists. So, the lifetime of such references must be strictly not large than that of the referenced C++ object.

The bug in the reproducer is that the vector gets reallocated, thus invalidating the old references. They are used no longer, but deregistering the references will still fail.

View full answer

franzpoeschel · 2022-11-01T09:56:52Z

franzpoeschel
Nov 1, 2022
Author

THE REPRODUCER HAS A BUG, I WILL NEED TO SEE IF I CAN FIX IT

0 replies

franzpoeschel · 2022-11-02T09:36:34Z

franzpoeschel
Nov 2, 2022
Author

Actually, the bug in the reproducer pointed me to the issue in my original use case.
Having a Python reference / reference_internal to a C++ object that no longer exists is undefined behavior in Pybind11. For this, the reference needs not even be used, as the deregistering routines of Pybind11 for objects with multiple inheritance assume that the object still exists. So, the lifetime of such references must be strictly not large than that of the referenced C++ object.

The bug in the reproducer is that the vector gets reallocated, thus invalidating the old references. They are used no longer, but deregistering the references will still fail.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Segfault when dealing with references to objects with multiple base classes / virtual inheritance #4303

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments

{{title}}

{{title}}

Select a reply

Segfault when dealing with references to objects with multiple base classes / virtual inheritance #4303

franzpoeschel Nov 1, 2022

Replies: 2 comments

franzpoeschel Nov 1, 2022 Author

franzpoeschel Nov 2, 2022 Author

franzpoeschel
Nov 1, 2022

franzpoeschel
Nov 1, 2022
Author

franzpoeschel
Nov 2, 2022
Author