Calling cProfile.runctx in threads on a free-threading build segfaults

[devdanzin]

Crash report

What happened?

On a no-gil build running with PYTHON_GIL=0, repeatedly calling cProfile.runctx in threads leads to a segfault:

from threading import Thread
import cProfile

for x in range(100):
    Thread(target=cProfile.runctx, args=("", {}, {}, "",)).start()

Backtrace:

#0  RotatingTree_Get (root=0xddddddddddddde25, key=key@entry=0x20002080780) at ./Modules/rotatingtree.c:56
#1  0x00007ffff7c3c940 in getSubEntry (pObj=pObj@entry=0x200041901e0, caller=<optimized out>,
    entry=entry@entry=0x20002080780) at ./Modules/_lsprof.c:245
#2  0x00007ffff7c3cf25 in Stop (pObj=pObj@entry=0x200041901e0, self=self@entry=0x200020e0310,
    entry=0x20002080780) at ./Modules/_lsprof.c:338
#3  0x00007ffff7c3cfdb in flush_unmatched (pObj=pObj@entry=0x200041901e0) at ./Modules/_lsprof.c:833
#4  0x00007ffff7c3e991 in _lsprof_Profiler_disable_impl (self=0x200041901e0) at ./Modules/_lsprof.c:893
#5  0x00007ffff7c3e9ca in _lsprof_Profiler_disable (self=<optimized out>, _unused_ignored=<optimized out>)
    at ./Modules/clinic/_lsprof.c.h:288
#6  0x0000555555694b24 in method_vectorcall_NOARGS (func=<method_descriptor at remote 0x20000aa01d0>,
    args=0x7ffff7433b48, nargsf=<optimized out>, kwnames=<optimized out>) at Objects/descrobject.c:447
#7  0x000055555567cc55 in _PyObject_VectorcallTstate (tstate=0x555555dcc3f0,
    callable=<method_descriptor at remote 0x20000aa01d0>, args=0x7ffff7433b48, nargsf=9223372036854775809,
    kwnames=0x0) at ./Include/internal/pycore_call.h:167
#8  0x000055555567cd74 in PyObject_Vectorcall (
    callable=callable@entry=<method_descriptor at remote 0x20000aa01d0>, args=args@entry=0x7ffff7433b48,
    nargsf=<optimized out>, kwnames=kwnames@entry=0x0) at Objects/call.c:327
#9  0x00005555558592c0 in _PyEval_EvalFrameDefault (tstate=tstate@entry=0x555555dcc3f0,
    frame=0x7ffff6c30340, throwflag=throwflag@entry=0) at Python/generated_cases.c.h:4469
#10 0x00005555558726ea in _PyEval_EvalFrame (throwflag=0, frame=<optimized out>, tstate=0x555555dcc3f0)
    at ./Include/internal/pycore_ceval.h:116
#11 _PyEval_Vector (tstate=<optimized out>, func=0x20000a8b450, locals=locals@entry=0x0,
    args=0x7ffff7433cd8, argcount=1, kwnames=<optimized out>) at Python/ceval.c:1901

Found using fusil by @vstinner.

CPython versions tested on:

3.13, CPython main branch

Operating systems tested on:

Linux

Output from running 'python -VV' on the command line:

Python 3.14.0a1+ experimental free-threading build (heads/main-dirty:54c63a32d0, Nov 8 2024, 20:16:36) [GCC 11.4.0]

[devdanzin]

While reducing the code for this crash, I got the following debug message:

Debug memory block at address p=0x200080e0150: API '�'
    7440851960500309042 bytes originally requested
    The 7 pad bytes at p-7 are not all FORBIDDENBYTE (0xfd):
        at p-7: 0xdd *** OUCH
        at p-6: 0xdd *** OUCH
        at p-5: 0xdd *** OUCH
        at p-4: 0xdd *** OUCH
        at p-3: 0xdd *** OUCH
        at p-2: 0xdd *** OUCH
        at p-1: 0xdd *** OUCH
    Because memory is corrupted at the start, the count of bytes requested
       may be bogus, and checking the trailing pad bytes may segfault.
    The 8 pad bytes at tail=0x6743396f53f1cd82 are Segmentation fault

However, it seems in reducing I removed whatever caused this message to appear. Is it another problem or just a detail of the main issue? Should I try to reduce the code in a way that preserves it?

[gaogaotiantian]

I don't think cProfile is nogil-safe at this point.

[devdanzin]

I don't think cProfile is nogil-safe at this point.

Agreed, cProfile and _lsprof aren't expected to work correctly in this scenario. Should I close the issue, mark it as pending or leave it open?