Skip to content

fix(profiling): fix invalid access in GenInfo::create_impl#17038

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 1 commit into
mainfrom
dd/kowalski/invalid-access-geninfo-create
Mar 20, 2026
Merged

fix(profiling): fix invalid access in GenInfo::create_impl#17038
gh-worker-dd-mergequeue-cf854d[bot] merged 1 commit into
mainfrom
dd/kowalski/invalid-access-geninfo-create

Conversation

@KowalskiThomas

@KowalskiThomas KowalskiThomas commented Mar 20, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Description

https://datadoghq.atlassian.net/browse/PROF-13112

This fixes a segmentation fault / invalid memory read I discovered through Crash Logs.

Error UnixSignal: Process terminated with SEGV_MAPERR (SIGSEGV)
#0   0x00007f67211ab61c GenInfo::create_impl
#1   0x00007f67211ab6ea GenInfo::create_impl
#2   0x00007f67211ab6ea GenInfo::create_impl
#3   0x00007f67211ab6ea GenInfo::create_impl
#4   0x00007f67211ab6ea GenInfo::create_impl
#5   0x00007f67211ab7f0 GenInfo::create
#6   0x00007f67211ab865 TaskInfo::create_impl
#7   0x00007f67211aba52 TaskInfo::create
#8   0x00007f67211abbde ThreadInfo::get_all_tasks
#9   0x00007f67211ac2a9 ThreadInfo::unwind_tasks
#10  0x00007f67211b000f ThreadInfo::sample
#11  0x00007f67211b013e std::_Function_handler<void (_ts*, ThreadInfo&), Datadog::Sampler::sampling_thread(unsigned long)::{lambda(InterpreterInfo&)#1}::operator()(InterpreterInfo&) const::{lambda(_ts*, ThreadInfo&)#1}>::_M_invoke
#12  0x00007f67211acef0 for_each_thread
#13  0x00007f67211acf88 std::_Function_handler<void (InterpreterInfo&), Datadog::Sampler::sampling_thread(unsigned long)::{lambda(InterpreterInfo&)#1}>::_M_invoke
#14  0x00007f67211aa590 for_each_interp
#15  0x00007f67211ad2f9 Datadog::Sampler::sampling_thread
#16  0x00007f67211ad4a1 call_sampling_thread
#17  0x00007f6723eaaea7 start_thread
#18  0x00007f6723fc0adf clone

The problem is similar to others we've already seen in the past; f->f_lasti was used to index into a bytecode buffer, but f was a "real" pointer and not a copy_memory'd one.
Since we don't hold the GIL is not held during sampling, this is possibly an invalid read, which seems to happen rarely (I had never seen this before) but can happen.

This should only have happened on Python < 3.11 given what code it is, but it's still worth fixing.

Additionally, neither the Python < 3.10 nor the Python 3.10 code paths performed bounds checking on the computed bytecode index before accessing the c[] buffer. With stale frame data, frame.f_lasti can be an arbitrary value, leading to an out-of-bounds read on the locally-allocated bytecode buffer.

Risks

This should remove risks more than it adds. As far as I can tell, it is safe as the only changes are for reading local memory as opposed to unsafe memory.

@KowalskiThomas KowalskiThomas added the Profiling Continous Profling label Mar 20, 2026
@cit-pr-commenter-54b7da

cit-pr-commenter-54b7da Bot commented Mar 20, 2026

Copy link
Copy Markdown

Codeowners resolved as

ddtrace/internal/datadog/profiling/stack/echion/echion/cpython/tasks.h  @DataDog/profiling-python
releasenotes/notes/fix-profiler-segv-pygenobject-raw-dereference-6ac21aa1da2048c6.yaml  @DataDog/apm-python

@KowalskiThomas
fix(profiling): fix invalid access in GenInfo::create
998abc6 
Co-authored-by: KowalskiThomas <14239160+KowalskiThomas@users.noreply.github.com>
@KowalskiThomas KowalskiThomas force-pushed the dd/kowalski/invalid-access-geninfo-create branch from 236bdfa to 998abc6 Compare March 20, 2026 11:36
@KowalskiThomas KowalskiThomas added the identified-by:crashtracking Identified by Crash Tracking label Mar 20, 2026
@KowalskiThomas KowalskiThomas marked this pull request as ready for review March 20, 2026 11:37
@KowalskiThomas KowalskiThomas requested review from a team as code owners March 20, 2026 11:37
@KowalskiThomas KowalskiThomas changed the title fix(profiling): fix invalid access in GenInfo::create fix(profiling): fix invalid access in GenInfo::create_impl Mar 20, 2026
@KowalskiThomas

KowalskiThomas commented Mar 20, 2026

Copy link
Copy Markdown
Contributor Author

/merge

@gh-worker-devflow-routing-ef8351

gh-worker-devflow-routing-ef8351 Bot commented Mar 20, 2026
edited
Loading

Copy link
Copy Markdown

View all feedbacks in Devflow UI.

2026-03-20 15:49:40 UTC ℹ️ Start processing command /merge

2026-03-20 15:49:44 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 3h (p90).

2026-03-20 16:43:23 UTC ℹ️ MergeQueue: This merge request was merged

@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot merged commit c129b08 into main Mar 20, 2026
431 checks passed
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot deleted the dd/kowalski/invalid-access-geninfo-create branch March 20, 2026 16:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@taegyunkim taegyunkim taegyunkim approved these changes

@vlad-scherbich vlad-scherbich Awaiting requested review from vlad-scherbich vlad-scherbich is a code owner automatically assigned from DataDog/profiling-python

@Yun-Kim Yun-Kim Awaiting requested review from Yun-Kim Yun-Kim is a code owner automatically assigned from DataDog/apm-python

Assignees

No one assigned

Labels

identified-by:crashtracking Identified by Crash Tracking Profiling Continous Profling

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@KowalskiThomas @taegyunkim