Skip to content

Race condition and UAF in perf_trampoline leading to SIGSEGV/SystemError #143228

New issue
New issue
Open
Open
Race condition and UAF in perf_trampoline leading to SIGSEGV/SystemError#143228
Labels
interpreter-core(Objects, Python, Grammar, and Parser dirs)type-crashA hard crash of the interpreter, possibly with a core dump
@stanly363

Description

@stanly363
stanly363
opened on Dec 27, 2025

Crash report

What happened?

Description

A race condition exists in the perf trampoline implementation (Python/perf_trampoline.c). When toggling sys.activate_stack_trampoline("perf") and sys.deactivate_stack_trampoline() while multiple threads are executing bytecode, a Use-After-Free (UAF) or invalid memory access occurs.

The root cause is that free_code_arenas (via munmap) releases executable memory while worker threads are still executing within a trampoline frame or attempting to unwind through it.

Impact

  • Python 3.12.x: Results in an immediate Segmentation Fault (SIGSEGV). The unwinder (libgcc_s) attempts to access unmapped memory during a stack walk.
  • Python 3.13 / 3.14: Results in a SystemError: error return without exception set. This indicates internal state corruption or a C-API violation where the runtime detects an invalid state but fails to handle it gracefully.

Technical Details

GDB analysis confirms that while one thread is executing free_code_arenas -> munmap to remove the executable memory page, another thread is simultaneously attempting _Unwind_ForcedUnwind through a frame located within that exact memory region.

Root Cause Analysis (GDB)

  • Thread A: Executing sys.deactivate_stack_trampoline() -> _PyPerfTrampoline_Fini -> free_code_arenas.
  • Thread B: Simultaneous execution or unwinding. The instruction pointer (IP) references a frame that is unmapped mid-process.
  • Error: Cannot access memory at address <hex_address>, confirming the memory was freed while still in use by the unwinder.

Reproduction

The issue is most consistent when pinned to a single core to force specific thread interleaving.

Steps:

  1. Save the attached file.
  2. Run via: taskset -c 0 python3 poc.py

(I have also included a gdb backtrace output from the crash to confirm it)

Environment

  • OS: Linux (Perf trampoline is Linux-specific)
  • Versions: Python 3.12.12 (SIGSEGV), Python 3.13.x/3.14.dev (SystemError)
  • Component: Python/perf_trampoline.c

gdb_backtrace.txt
poc.py

Traceback 
#0  x86_64_fallback_frame_state (context=0x725ace5fc750, fs=0x725ace5fc510) at ./md-unwind-support.h:63
        pc = 0x725ab661e00a <error: Cannot access memory at address 0x725ab661e00a>
        sc = <optimized out>
        new_cfa = <optimized out>
        pc = <optimized out>
        sc = <optimized out>
        new_cfa = <optimized out>
        uc_ = <optimized out>
#1  uw_frame_state_for (context=context@entry=0x725ace5fc750, fs=fs@entry=0x725ace5fc510) at ../../../src/libgcc/unwind-dw2.c:1013
        fde = 0x0
        cie = <optimized out>
        aug = <optimized out>
        insn = <optimized out>
        end = <optimized out>
#2  0x0000725ab6c86c8a in _Unwind_ForcedUnwind_Phase2 (exc=exc@entry=0x725ace5fdd30, context=context@entry=0x725ace5fc750, frames_p=frames_p@entry=0x725ace5fc658) at ../../../src/libgcc/unwind.inc:162
        fs = {regs = {reg = {{loc = {reg = 2855248878, offset = 2855248878, exp = 0xaa2fa3ee <error: Cannot access memory at address 0xaa2fa3ee>}}, {loc = {reg = 125734335006864, offset = 125734335006864, exp = 0x725ace5fc890 "\260\310_\316Zr"}}, {loc = {reg = 18446744073709551544, offset = -72, exp = 0xffffffffffffffb8 <error: Cannot access memory at address 0xffffffffffffffb8>}}, {loc = {reg = 18446744073709551560, offset = -56, exp = 0xffffffffffffffc8 <error: Cannot access memory at address 0xffffffffffffffc8>}}, {loc = {reg = 0, offset = 0, exp = 0x0}}, {loc = {reg = 18446744073709551560, offset = -56, exp = 0xffffffffffffffc8 <error: Cannot access memory at address 0xffffffffffffffc8>}}, {loc = {reg = 18446744073709551568, offset = -48, exp = 0xffffffffffffffd0 <error: Cannot access memory at address 0xffffffffffffffd0>}}, {loc = {reg = 0, offset = 0, exp = 0x0}}, {loc = {reg = 18446744073709551600, offset = -16, exp = 0xfffffffffffffff0 <error: Cannot access memory at address 0xfffffffffffffff0>}}, {loc = {reg = 125734160964688, offset = 125734160964688, exp = 0x725ac4001c50 ""}}, {loc = {reg = 125734335006240, offset = 125734335006240, exp = 0x725ace5fc620 "P\307_\316Zr"}}, {loc = {reg = 125734374027697, offset = 125734374027697, exp = 0x725ad0b331b1 <_dl_open+257> "H\213E\230H\201Ĉ"}}, {loc = {reg = 18446744073709551576, offset = -40, exp = 0xffffffffffffffd8 <error: Cannot access memory at address 0xffffffffffffffd8>}}, {loc = {reg = 18446744073709551584, offset = -32, exp = 0xffffffffffffffe0 <error: Cannot access memory at address 0xffffffffffffffe0>}}, {loc = {reg = 18446744073709551592, offset = -24, exp = 0xffffffffffffffe8 <error: Cannot access memory at address 0xffffffffffffffe8>}}, {loc = {reg = 18446744073709551600, offset = -16, exp = 0xfffffffffffffff0 <error: Cannot access memory at address 0xfffffffffffffff0>}}, {loc = {reg = 18446744073709551608, offset = -8, exp = 0xfffffffffffffff8 <error: Cannot access memory at address 0xfffffffffffffff8>}}, {loc = {reg = 18446744073709551592, offset = -24, exp = 0xffffffffffffffe8 <error: Cannot access memory at address 0xffffffffffffffe8>}}}, how = '\000' <repeats 17 times>, cfa_how = CFA_UNSET, prev = 0x0, cfa_offset = 0, cfa_reg = 0, cfa_exp = 0x0}, pc = 0x0, personality = 0x0, data_align = 0, code_align = 0, retaddr_column = 0, fde_encoding = 0 '\000', lsda_encoding = 0 '\000', saw_z = 0 '\000', signal_frame = 0 '\000', eh_ptr = 0x0}
        action = <optimized out>
        stop = 0x725ad00a55c0 <unwind_stop>
        stop_argument = 0x725ace5fcee0
        code = <optimized out>
        stop_code = <optimized out>
        frames = 7
#3  0x0000725ab6c873c0 in _Unwind_ForcedUnwind (exc=0x725ace5fdd30, stop=stop@entry=0x725ad00a55c0 <unwind_stop>, stop_argument=<optimized out>) at ../../../src/libgcc/unwind.inc:218
        this_context = {reg = {0x725ace5fc848, 0x725ace5fc850, 0x0, 0x725ace5fc858, 0x0, 0x0, 0x725ace5fc880, 0x0, 0x0, 0x0, 0x0, 0x0, 0x725ace5fc860, 0x725ace5fc868, 0x725ace5fc870, 0x725ace5fc878, 0x725ace5fc888, 0x0}, cfa = 0x725ace5fc890, ra = 0x725ad00a57a4 <__GI___pthread_unwind+68>, lsda = 0x0, bases = {tbase = 0x0, dbase = 0x0, func = 0x725ab6c87290 <_Unwind_ForcedUnwind>}, flags = 4611686018427387904, version = 0, args_size = 0, by_value = '\000' <repeats 17 times>}
        cur_context = {reg = {0x725ace5fc848, 0x725ace5fc850, 0x0, 0x725ace5fcb08, 0x0, 0x0, 0x725ace5fcb10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x725ace5fcb18, 0x725ace5fcb20, 0x725ace5fcb28, 0x725ace5fcb30, 0x725ace5fcb38, 0x0}, cfa = 0x725ace5fcb40, ra = 0x725ab661e00a, lsda = 0x0, bases = {tbase = 0x0, dbase = 0x0, func = 0x725ad0512bd0 <_PyEval_EvalFrameDefault>}, flags = 4611686018427387904, version = 0, args_size = 0, by_value = '\000' <repeats 17 times>}
        code = <optimized out>
        frames = 125734373979420
#4  0x0000725ad00a57a4 in __GI___pthread_unwind (buf=<optimized out>) at ./nptl/unwind.c:130
        ibuf = <optimized out>
        self = <optimized out>
#5  0x0000725ad009dd22 in __do_cancel () at ../sysdeps/nptl/pthreadP.h:271
        self = <optimized out>
#6  __GI___pthread_exit (value=value@entry=0x0) at ./nptl/pthread_exit.c:36
No locals.
#7  0x0000725ad0707be9 in PyThread_exit_thread () at Python/thread_pthread.h:370
No locals.
#8  0x0000725ad06c417b in take_gil (tstate=tstate@entry=0x575c3c885740) at Python/ceval_gil.c:434
        err = <optimized out>
        interp = <optimized out>
        ceval = <optimized out>
        gil = <optimized out>
        __func__ = "take_gil"
        drop_requested = <optimized out>
#9  0x0000725ad06c4d33 in _Py_HandlePending (tstate=tstate@entry=0x575c3c885740) at Python/ceval_gil.c:1058
        runtime = <optimized out>
        ceval = <optimized out>
        interp_ceval_state = <optimized out>
        __func__ = "_Py_HandlePending"
#10 0x0000725ad0517202 in _PyEval_EvalFrameDefault (tstate=<optimized out>, frame=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:836
        __func__ = "_PyEval_EvalFrameDefault"
        opcode_targets = {0x725ad05125b7 <_PyEval_EvalFrameDefault-1561>, 0x725ad0518b48 <_PyEval_EvalFrameDefault+24440>, 0x725ad0518b91 <_PyEval_EvalFrameDefault+24513>, 0x725ad0518530 <_PyEval_EvalFrameDefault+22880>, 0x725ad0518bc4 <_PyEval_EvalFrameDefault+24564>, 0x725ad0518d64 <_PyEval_EvalFrameDefault+24980>, 0x725ad05167c8 <_PyEval_EvalFrameDefault+15352>, 0x725ad051685c <_PyEval_EvalFrameDefault+15500>, 0x725ad051665b <_PyEval_EvalFrameDefault+14987>, 0x725ad051a0c5 <_PyEval_EvalFrameDefault+29941>, 0x725ad051670a <_PyEval_EvalFrameDefault+15162>, 0x725ad0518e4e <_PyEval_EvalFrameDefault+25214>, 0x725ad0515a21 <_PyEval_EvalFrameDefault+11857>, 0x725ad0516484 <_PyEval_EvalFrameDefault+14516>, 0x725ad0516373 <_PyEval_EvalFrameDefault+14243>, 0x725ad051630c <_PyEval_EvalFrameDefault+14140>, 0x725ad05165c7 <_PyEval_EvalFrameDefault+14839>, 0x725ad05125af <_PyEval_EvalFrameDefault.cold>, 0x725ad0516518 <_PyEval_EvalFrameDefault+14664>, 0x725ad05181c8 <_PyEval_EvalFrameDefault+22008>, 0x725ad051829e <_PyEval_EvalFrameDefault+22222>, 0x725ad0516b5d <_PyEval_EvalFrameDefault+16269>, 0x725ad05183f0 <_PyEval_EvalFrameDefault+22560>, 0x725ad0517394 <_PyEval_EvalFrameDefault+18372>, 0x725ad0517560 <_PyEval_EvalFrameDefault+18832>, 0x725ad051690b <_PyEval_EvalFrameDefault+15675>, 0x725ad05169f9 <_PyEval_EvalFrameDefault+15913>, 0x725ad0516a99 <_PyEval_EvalFrameDefault+16073>, 0x725ad051733b <_PyEval_EvalFrameDefault+18283>, 0x725ad0517a60 <_PyEval_EvalFrameDefault+20112>, 0x725ad051b029 <_PyEval_EvalFrameDefault+33881>, 0x725ad051b160 <_PyEval_EvalFrameDefault+34192>, 0x725ad0517e44 <_PyEval_EvalFrameDefault+21108>, 0x725ad0517e8f <_PyEval_EvalFrameDefault+21183>, 0x725ad0519630 <_PyEval_EvalFrameDefault+27232>, 0x725ad051b8d6 <_PyEval_EvalFrameDefault+36102>, 0x725ad051ba21 <_PyEval_EvalFrameDefault+36433>, 0x725ad051b26b <_PyEval_EvalFrameDefault+34459>, 0x725ad051a86d <_PyEval_EvalFrameDefault+31901>, 0x725ad0519496 <_PyEval_EvalFrameDefault+26822>, 0x725ad0517c0a <_PyEval_EvalFrameDefault+20538>, 0x725ad051ae5f <_PyEval_EvalFrameDefault+33423>, 0x725ad051a4fa <_PyEval_EvalFrameDefault+31018>, 0x725ad05180a2 <_PyEval_EvalFrameDefault+21714>, 0x725ad051a0ec <_PyEval_EvalFrameDefault+29980>, 0x725ad051aa20 <_PyEval_EvalFrameDefault+32336>, 0x725ad051ab80 <_PyEval_EvalFrameDefault+32688>, 0x725ad051780c <_PyEval_EvalFrameDefault+19516>, 0x725ad0517930 <_PyEval_EvalFrameDefault+19808>, 0x725ad051b1ab <_PyEval_EvalFrameDefault+34267>, 0x725ad05186b5 <_PyEval_EvalFrameDefault+23269>, 0x725ad0513630 <_PyEval_EvalFrameDefault+2656>, 0x725ad051b59c <_PyEval_EvalFrameDefault+35276>, 0x725ad051b6b8 <_PyEval_EvalFrameDefault+35560>, 0x725ad051617d <_PyEval_EvalFrameDefault+13741>, 0x725ad0514c50 <_PyEval_EvalFrameDefault+8320>, 0x725ad0517720 <_PyEval_EvalFrameDefault+19280>, 0x725ad051982f <_PyEval_EvalFrameDefault+27743>, 0x725ad05198ec <_PyEval_EvalFrameDefault+27932>, 0x725ad05199e0 <_PyEval_EvalFrameDefault+28176>, 0x725ad0518a3f <_PyEval_EvalFrameDefault+24175>, 0x725ad05188a7 <_PyEval_EvalFrameDefault+23767>, 0x725ad051a72b <_PyEval_EvalFrameDefault+31579>, 0x725ad051a7cc <_PyEval_EvalFrameDefault+31740>, 0x725ad0519aef <_PyEval_EvalFrameDefault+28447>, 0x725ad0519ba4 <_PyEval_EvalFrameDefault+28628>, 0x725ad0513eba <_PyEval_EvalFrameDefault+4842>, 0x725ad0514004 <_PyEval_EvalFrameDefault+5172>, 0x725ad0517ee8 <_PyEval_EvalFrameDefault+21272>, 0x725ad051b50f <_PyEval_EvalFrameDefault+35135>, 0x725ad0514617 <_PyEval_EvalFrameDefault+6727>, 0x725ad0514d6e <_PyEval_EvalFrameDefault+8606>, 0x725ad0514808 <_PyEval_EvalFrameDefault+7224>, 0x725ad05142d9 <_PyEval_EvalFrameDefault+5897>, 0x725ad0514d2c <_PyEval_EvalFrameDefault+8540>, 0x725ad051a033 <_PyEval_EvalFrameDefault+29795>, 0x725ad051438f <_PyEval_EvalFrameDefault+6079>, 0x725ad05146bf <_PyEval_EvalFrameDefault+6895>, 0x725ad0514570 <_PyEval_EvalFrameDefault+6560>, 0x725ad0514460 <_PyEval_EvalFrameDefault+6288>, 0x725ad0516d9a <_PyEval_EvalFrameDefault+16842>, 0x725ad051b865 <_PyEval_EvalFrameDefault+35989>, 0x725ad051b7d4 <_PyEval_EvalFrameDefault+35844>, 0x725ad051857f <_PyEval_EvalFrameDefault+22959>, 0x725ad051907b <_PyEval_EvalFrameDefault+25771>, 0x725ad0515323 <_PyEval_EvalFrameDefault+10067>, 0x725ad0518ef4 <_PyEval_EvalFrameDefault+25380>, 0x725ad05158ed <_PyEval_EvalFrameDefault+11549>, 0x725ad0519145 <_PyEval_EvalFrameDefault+25973>, 0x725ad051506f <_PyEval_EvalFrameDefault+9375>, 0x725ad0514dde <_PyEval_EvalFrameDefault+8718>, 0x725ad0514e76 <_PyEval_EvalFrameDefault+8870>, 0x725ad0514edb <_PyEval_EvalFrameDefault+8971>, 0x725ad051a675 <_PyEval_EvalFrameDefault+31397>, 0x725ad0516061 <_PyEval_EvalFrameDefault+13457>, 0x725ad0514a09 <_PyEval_EvalFrameDefault+7737>, 0x725ad0515fe6 <_PyEval_EvalFrameDefault+13334>, 0x725ad0515813 <_PyEval_EvalFrameDefault+11331>, 0x725ad0515890 <_PyEval_EvalFrameDefault+11456>, 0x725ad0518eb5 <_PyEval_EvalFrameDefault+25317>, 0x725ad05191a8 <_PyEval_EvalFrameDefault+26072>, 0x725ad05153ad <_PyEval_EvalFrameDefault+10205>, 0x725ad0513a3c <_PyEval_EvalFrameDefault+3692>, 0x725ad0515c1d <_PyEval_EvalFrameDefault+12365>, 0x725ad05150c7 <_PyEval_EvalFrameDefault+9463>, 0x725ad051524e <_PyEval_EvalFrameDefault+9854>, 0x725ad0514177 <_PyEval_EvalFrameDefault+5543>, 0x725ad0515938 <_PyEval_EvalFrameDefault+11624>, 0x725ad051a292 <_PyEval_EvalFrameDefault+30402>, 0x725ad051a3cb <_PyEval_EvalFrameDefault+30715>, 0x725ad051a430 <_PyEval_EvalFrameDefault+30816>, 0x725ad0515580 <_PyEval_EvalFrameDefault+10672>, 0x725ad05154d9 <_PyEval_EvalFrameDefault+10505>, 0x725ad0514950 <_PyEval_EvalFrameDefault+7552>, 0x725ad05192be <_PyEval_EvalFrameDefault+26350>, 0x725ad0519346 <_PyEval_EvalFrameDefault+26486>, 0x725ad051542b <_PyEval_EvalFrameDefault+10331>, 0x725ad0516c28 <_PyEval_EvalFrameDefault+16472>, 0x725ad0516cb2 <_PyEval_EvalFrameDefault+16610>, 0x725ad0515e25 <_PyEval_EvalFrameDefault+12885>, 0x725ad051ae1c <_PyEval_EvalFrameDefault+33356>, 0x725ad0518632 <_PyEval_EvalFrameDefault+23138>, 0x725ad0519df7 <_PyEval_EvalFrameDefault+29223>, 0x725ad051375e <_PyEval_EvalFrameDefault+2958>, 0x725ad0518754 <_PyEval_EvalFrameDefault+23428>, 0x725ad05190e6 <_PyEval_EvalFrameDefault+25878>, 0x725ad0515650 <_PyEval_EvalFrameDefault+10880>, 0x725ad05197e0 <_PyEval_EvalFrameDefault+27664>, 0x725ad051b934 <_PyEval_EvalFrameDefault+36196>, 0x725ad051b98c <_PyEval_EvalFrameDefault+36284>, 0x725ad05184b8 <_PyEval_EvalFrameDefault+22760>, 0x725ad05136e6 <_PyEval_EvalFrameDefault+2838>, 0x725ad0519e14 <_PyEval_EvalFrameDefault+29252>, 0x725ad051a15e <_PyEval_EvalFrameDefault+30094>, 0x725ad051affb <_PyEval_EvalFrameDefault+33835>, 0x725ad05156b3 <_PyEval_EvalFrameDefault+10979>, 0x725ad051a243 <_PyEval_EvalFrameDefault+30323>, 0x725ad0513851 <_PyEval_EvalFrameDefault+3201>, 0x725ad05138a4 <_PyEval_EvalFrameDefault+3284>, 0x725ad051571e <_PyEval_EvalFrameDefault+11086>, 0x725ad051b9e1 <_PyEval_EvalFrameDefault+36369>, 0x725ad0513c43 <_PyEval_EvalFrameDefault+4211>, 0x725ad0513375 <_PyEval_EvalFrameDefault+1957>, 0x725ad0516d57 <_PyEval_EvalFrameDefault+16775>, 0x725ad0519dc4 <_PyEval_EvalFrameDefault+29172>, 0x725ad0517d70 <_PyEval_EvalFrameDefault+20896>, 0x725ad0517dcf <_PyEval_EvalFrameDefault+20991>, 0x725ad051620c <_PyEval_EvalFrameDefault+13884>, 0x725ad0515a95 <_PyEval_EvalFrameDefault+11973>, 0x725ad0513902 <_PyEval_EvalFrameDefault+3378>, 0x725ad0515008 <_PyEval_EvalFrameDefault+9272>, 0x725ad0519264 <_PyEval_EvalFrameDefault+26260>, 0x725ad051b095 <_PyEval_EvalFrameDefault+33989>, 0x725ad0514afb <_PyEval_EvalFrameDefault+7979>, 0x725ad0518f5f <_PyEval_EvalFrameDefault+25487>, 0x725ad051ad18 <_PyEval_EvalFrameDefault+33096>, 0x725ad0515ec8 <_PyEval_EvalFrameDefault+13048>, 0x725ad0513967 <_PyEval_EvalFrameDefault+3479>, 0x725ad0518fd9 <_PyEval_EvalFrameDefault+25609>, 0x725ad0518794 <_PyEval_EvalFrameDefault+23492>, 0x725ad0518a60 <_PyEval_EvalFrameDefault+24208>, 0x725ad0513aa7 <_PyEval_EvalFrameDefault+3799>, 0x725ad0515b3a <_PyEval_EvalFrameDefault+12138>, 0x725ad0515ba8 <_PyEval_EvalFrameDefault+12248>, 0x725ad0516299 <_PyEval_EvalFrameDefault+14025>, 0x725ad0515c88 <_PyEval_EvalFrameDefault+12472>, 0x725ad0514f8c <_PyEval_EvalFrameDefault+9148>, 0x725ad0514ef4 <_PyEval_EvalFrameDefault+8996>, 0x725ad0515cf6 <_PyEval_EvalFrameDefault+12582>, 0x725ad0519fdc <_PyEval_EvalFrameDefault+29708>, 0x725ad0519fdc <_PyEval_EvalFrameDefault+29708>, 0x725ad05172f3 <_PyEval_EvalFrameDefault+18211>, 0x725ad0516e1d <_PyEval_EvalFrameDefault+16973>, 0x725ad051892e <_PyEval_EvalFrameDefault+23902>, 0x725ad051899f <_PyEval_EvalFrameDefault+24015>, 0x725ad05160e7 <_PyEval_EvalFrameDefault+13591>, 0x725ad0515780 <_PyEval_EvalFrameDefault+11184>, 0x725ad0519fdc <_PyEval_EvalFrameDefault+29708> <repeats 60 times>, 0x725ad051626c <_PyEval_EvalFrameDefault+13980>, 0x725ad051a45a <_PyEval_EvalFrameDefault+30858>, 0x725ad0519d23 <_PyEval_EvalFrameDefault+29011>, 0x725ad0519a95 <_PyEval_EvalFrameDefault+28357>, 0x725ad0516e58 <_PyEval_EvalFrameDefault+17032>, 0x725ad05185e4 <_PyEval_EvalFrameDefault+23060>, 0x725ad0515dc0 <_PyEval_EvalFrameDefault+12784>, 0x725ad0513371 <_PyEval_EvalFrameDefault+1953>, 0x725ad0517fa9 <_PyEval_EvalFrameDefault+21465>, 0x725ad0518017 <_PyEval_EvalFrameDefault+21575>, 0x725ad051865f <_PyEval_EvalFrameDefault+23183>, 0x725ad051a68e <_PyEval_EvalFrameDefault+31422>, 0x725ad05193ce <_PyEval_EvalFrameDefault+26622>...}
        opcode = <optimized out>
        oparg = <optimized out>
        cframe = {current_frame = 0x725ad03021d8, previous = 0x725ace5fccf0}
        entry_frame = {f_code = 0x725ad022a590, previous = 0x725ad0b07188, f_funcobj = 0x1c20ce5fcad0, f_globals = 0x725ab8000030, f_builtins = 0x725ace5fcb30, f_locals = 0x725ace5fccf0, frame_obj = 0x725ad025ce40, prev_instr = 0x725ad022a650, stacktop = 0, return_offset = 0, owner = 3 '\003', localsplus = {0x725acff04f30}}
        kwnames = 0x0
        prev_cframe = <optimized out>
        next_instr = 0x725ad025cf1a
        stack_pointer = 0x725ad0302240
        exception_unwind = <optimized out>
        dying = <optimized out>
#11 0x0000725ab661e00a in ?? ()
No symbol table info available.
#12 0x0000000000000000 in ?? ()
No symbol table info available.
  Id   Target Id                                   Frame 
* 1    Thread 0x725ace5fd6c0 (LWP 12846) (Exiting) x86_64_fallback_frame_state (context=0x725ace5fc750, fs=0x725ace5fc510) at ./md-unwind-support.h:63
  2    Thread 0x725ab77fe6c0 (LWP 12851)           0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=29274, cancel=true, abstime=0x725ab77fd8f0, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57
  3    Thread 0x725ab7fff6c0 (LWP 12850)           0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=0, cancel=true, abstime=0x725ab7ffe950, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57
  4    Thread 0x725acd5fb6c0 (LWP 12848)           0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=29274, cancel=true, abstime=0x725acd5fa8f0, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57
  5    Thread 0x725accdfa6c0 (LWP 12849)           0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=29274, cancel=true, abstime=0x725accdf98f0, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57
  6    Thread 0x725acedfe6c0 (LWP 12845)           0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=29274, cancel=true, abstime=0x725acedfd8f0, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57
  7    Thread 0x725acddfc6c0 (LWP 12847)           0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=0, cancel=true, abstime=0x725acddfb8f0, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57
  8    Thread 0x725acf5ff6c0 (LWP 12844)           0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=29274, cancel=true, abstime=0x725acf5fe8f0, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57
  9    Thread 0x725ad0b00b80 (LWP 12791)           0x0000725ad0125d7b in __GI_munmap () at ../sysdeps/unix/syscall-template.S:117

Thread 9 (Thread 0x725ad0b00b80 (LWP 12791)):
#0  0x0000725ad0125d7b in __GI_munmap () at ../sysdeps/unix/syscall-template.S:117
#1  0x0000725ad071b9f4 in free_code_arenas () at Python/perf_trampoline.c:315
#2  _PyPerfTrampoline_FreeArenas () at Python/perf_trampoline.c:421
#3  0x0000725ad06e7eb6 in finalize_interp_clear (tstate=tstate@entry=0x725ad0ad6db0 <_PyRuntime+458992>) at Python/pylifecycle.c:1788
#4  0x0000725ad06ebd14 in Py_FinalizeEx () at Python/pylifecycle.c:2001
#5  Py_FinalizeEx () at Python/pylifecycle.c:1812
#6  0x0000725ad071d32f in Py_RunMain () at Modules/main.c:716
#7  0x0000725ad071d4ee in pymain_main (args=0x7fffaf958bb0) at Modules/main.c:744
#8  Py_BytesMain (argc=<optimized out>, argv=<optimized out>) at Modules/main.c:768
#9  0x0000725ad002a1ca in __libc_start_call_main (main=main@entry=0x575c15e31060 <main>, argc=argc@entry=2, argv=argv@entry=0x7fffaf958d48) at ../sysdeps/nptl/libc_start_call_main.h:58
#10 0x0000725ad002a28b in __libc_start_main_impl (main=0x575c15e31060 <main>, argc=2, argv=0x7fffaf958d48, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffaf958d38) at ../csu/libc-start.c:360
#11 0x0000575c15e31095 in _start ()

Thread 8 (Thread 0x725acf5ff6c0 (LWP 12844)):
#0  0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=29274, cancel=true, abstime=0x725acf5fe8f0, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57
#1  __futex_abstimed_wait_common (cancel=true, private=29274, abstime=0x725acf5fe8f0, clockid=0, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:87
#2  __GI___futex_abstimed_wait_cancelable64 (futex_word=futex_word@entry=0x725ad0a798ec <_PyRuntime+76844>, expected=expected@entry=0, clockid=clockid@entry=1, abstime=abstime@entry=0x725acf5fe8f0, private=private@entry=0) at ./nptl/futex-internal.c:139
#3  0x0000725ad009bc8e in __pthread_cond_wait_common (abstime=0x725acf5fe8f0, clockid=1, mutex=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at ./nptl/pthread_cond_wait.c:503
#4  ___pthread_cond_timedwait64 (cond=cond@entry=0x725ad0a798c0 <_PyRuntime+76800>, mutex=mutex@entry=0x725ad0a798f0 <_PyRuntime+76848>, abstime=abstime@entry=0x725acf5fe8f0) at ./nptl/pthread_cond_wait.c:652
#5  0x0000725ad06c4085 in PyCOND_TIMEDWAIT (us=<optimized out>, mut=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at Python/condvar.h:73
#6  take_gil (tstate=tstate@entry=0x575c3c88d420) at Python/ceval_gil.c:376
#7  0x0000725ad06c4d33 in _Py_HandlePending (tstate=tstate@entry=0x575c3c88d420) at Python/ceval_gil.c:1058
#8  0x0000725ad0517202 in _PyEval_EvalFrameDefault (tstate=<optimized out>, frame=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:836
#9  0x0000725ab6f0e00a in ?? ()
#10 0x0000000000000000 in ?? ()

Thread 7 (Thread 0x725acddfc6c0 (LWP 12847)):
#0  0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=0, cancel=true, abstime=0x725acddfb8f0, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57
#1  __futex_abstimed_wait_common (cancel=true, private=0, abstime=0x725acddfb8f0, clockid=0, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:87
#2  __GI___futex_abstimed_wait_cancelable64 (futex_word=futex_word@entry=0x725ad0a798ec <_PyRuntime+76844>, expected=expected@entry=0, clockid=clockid@entry=1, abstime=abstime@entry=0x725acddfb8f0, private=private@entry=0) at ./nptl/futex-internal.c:139
#3  0x0000725ad009bc8e in __pthread_cond_wait_common (abstime=0x725acddfb8f0, clockid=1, mutex=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at ./nptl/pthread_cond_wait.c:503
#4  ___pthread_cond_timedwait64 (cond=cond@entry=0x725ad0a798c0 <_PyRuntime+76800>, mutex=mutex@entry=0x725ad0a798f0 <_PyRuntime+76848>, abstime=abstime@entry=0x725acddfb8f0) at ./nptl/pthread_cond_wait.c:652
#5  0x0000725ad06c4085 in PyCOND_TIMEDWAIT (us=<optimized out>, mut=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at Python/condvar.h:73
#6  take_gil (tstate=tstate@entry=0x575c3c870600) at Python/ceval_gil.c:376
#7  0x0000725ad06c4d33 in _Py_HandlePending (tstate=tstate@entry=0x575c3c870600) at Python/ceval_gil.c:1058
#8  0x0000725ad0517202 in _PyEval_EvalFrameDefault (tstate=<optimized out>, frame=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:836
#9  0x0000725ab6f0e00a in ?? ()
#10 0x0000000000000000 in ?? ()

Thread 6 (Thread 0x725acedfe6c0 (LWP 12845)):
#0  0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=29274, cancel=true, abstime=0x725acedfd8f0, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57
#1  __futex_abstimed_wait_common (cancel=true, private=29274, abstime=0x725acedfd8f0, clockid=0, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:87
#2  __GI___futex_abstimed_wait_cancelable64 (futex_word=futex_word@entry=0x725ad0a798ec <_PyRuntime+76844>, expected=expected@entry=0, clockid=clockid@entry=1, abstime=abstime@entry=0x725acedfd8f0, private=private@entry=0) at ./nptl/futex-internal.c:139
#3  0x0000725ad009bc8e in __pthread_cond_wait_common (abstime=0x725acedfd8f0, clockid=1, mutex=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at ./nptl/pthread_cond_wait.c:503
#4  ___pthread_cond_timedwait64 (cond=cond@entry=0x725ad0a798c0 <_PyRuntime+76800>, mutex=mutex@entry=0x725ad0a798f0 <_PyRuntime+76848>, abstime=abstime@entry=0x725acedfd8f0) at ./nptl/pthread_cond_wait.c:652
#5  0x0000725ad06c4085 in PyCOND_TIMEDWAIT (us=<optimized out>, mut=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at Python/condvar.h:73
#6  take_gil (tstate=tstate@entry=0x575c3c893cc0) at Python/ceval_gil.c:376
#7  0x0000725ad06c4d33 in _Py_HandlePending (tstate=tstate@entry=0x575c3c893cc0) at Python/ceval_gil.c:1058
#8  0x0000725ad0517202 in _PyEval_EvalFrameDefault (tstate=<optimized out>, frame=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:836
#9  0x0000725ab6f0e00a in ?? ()
#10 0x0000000000000000 in ?? ()

Thread 5 (Thread 0x725accdfa6c0 (LWP 12849)):
#0  0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=29274, cancel=true, abstime=0x725accdf98f0, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57
#1  __futex_abstimed_wait_common (cancel=true, private=29274, abstime=0x725accdf98f0, clockid=0, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:87
#2  __GI___futex_abstimed_wait_cancelable64 (futex_word=futex_word@entry=0x725ad0a798ec <_PyRuntime+76844>, expected=expected@entry=0, clockid=clockid@entry=1, abstime=abstime@entry=0x725accdf98f0, private=private@entry=0) at ./nptl/futex-internal.c:139
#3  0x0000725ad009bc8e in __pthread_cond_wait_common (abstime=0x725accdf98f0, clockid=1, mutex=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at ./nptl/pthread_cond_wait.c:503
#4  ___pthread_cond_timedwait64 (cond=cond@entry=0x725ad0a798c0 <_PyRuntime+76800>, mutex=mutex@entry=0x725ad0a798f0 <_PyRuntime+76848>, abstime=abstime@entry=0x725accdf98f0) at ./nptl/pthread_cond_wait.c:652
#5  0x0000725ad06c4085 in PyCOND_TIMEDWAIT (us=<optimized out>, mut=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at Python/condvar.h:73
#6  take_gil (tstate=tstate@entry=0x575c3c86d660) at Python/ceval_gil.c:376
#7  0x0000725ad06c4d33 in _Py_HandlePending (tstate=tstate@entry=0x575c3c86d660) at Python/ceval_gil.c:1058
#8  0x0000725ad0517202 in _PyEval_EvalFrameDefault (tstate=<optimized out>, frame=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:836
#9  0x0000725ab6f0e00a in ?? ()
#10 0x0000000000000000 in ?? ()

Thread 4 (Thread 0x725acd5fb6c0 (LWP 12848)):
#0  0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=29274, cancel=true, abstime=0x725acd5fa8f0, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57
#1  __futex_abstimed_wait_common (cancel=true, private=29274, abstime=0x725acd5fa8f0, clockid=0, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:87
#2  __GI___futex_abstimed_wait_cancelable64 (futex_word=futex_word@entry=0x725ad0a798ec <_PyRuntime+76844>, expected=expected@entry=0, clockid=clockid@entry=1, abstime=abstime@entry=0x725acd5fa8f0, private=private@entry=0) at ./nptl/futex-internal.c:139
#3  0x0000725ad009bc8e in __pthread_cond_wait_common (abstime=0x725acd5fa8f0, clockid=1, mutex=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at ./nptl/pthread_cond_wait.c:503
#4  ___pthread_cond_timedwait64 (cond=cond@entry=0x725ad0a798c0 <_PyRuntime+76800>, mutex=mutex@entry=0x725ad0a798f0 <_PyRuntime+76848>, abstime=abstime@entry=0x725acd5fa8f0) at ./nptl/pthread_cond_wait.c:652
#5  0x0000725ad06c4085 in PyCOND_TIMEDWAIT (us=<optimized out>, mut=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at Python/condvar.h:73
#6  take_gil (tstate=tstate@entry=0x575c3c8768a0) at Python/ceval_gil.c:376
#7  0x0000725ad06c4d33 in _Py_HandlePending (tstate=tstate@entry=0x575c3c8768a0) at Python/ceval_gil.c:1058
#8  0x0000725ad0517202 in _PyEval_EvalFrameDefault (tstate=<optimized out>, frame=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:836
#9  0x0000725ab661e00a in ?? ()
#10 0x0000000000000000 in ?? ()

Thread 3 (Thread 0x725ab7fff6c0 (LWP 12850)):
#0  0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=0, cancel=true, abstime=0x725ab7ffe950, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57
#1  __futex_abstimed_wait_common (cancel=true, private=0, abstime=0x725ab7ffe950, clockid=0, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:87
#2  __GI___futex_abstimed_wait_cancelable64 (futex_word=futex_word@entry=0x725ad0a798ec <_PyRuntime+76844>, expected=expected@entry=0, clockid=clockid@entry=1, abstime=abstime@entry=0x725ab7ffe950, private=private@entry=0) at ./nptl/futex-internal.c:139
#3  0x0000725ad009bc8e in __pthread_cond_wait_common (abstime=0x725ab7ffe950, clockid=1, mutex=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at ./nptl/pthread_cond_wait.c:503
#4  ___pthread_cond_timedwait64 (cond=cond@entry=0x725ad0a798c0 <_PyRuntime+76800>, mutex=mutex@entry=0x725ad0a798f0 <_PyRuntime+76848>, abstime=abstime@entry=0x725ab7ffe950) at ./nptl/pthread_cond_wait.c:652
#5  0x0000725ad06c4085 in PyCOND_TIMEDWAIT (us=<optimized out>, mut=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at Python/condvar.h:73
#6  take_gil (tstate=tstate@entry=0x575c3c84ef40) at Python/ceval_gil.c:376
#7  0x0000725ad06c4d33 in _Py_HandlePending (tstate=tstate@entry=0x575c3c84ef40) at Python/ceval_gil.c:1058
#8  0x0000725ad0517202 in _PyEval_EvalFrameDefault (tstate=<optimized out>, frame=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:836
#9  0x0000725ad05975bd in _PyEval_EvalFrame (throwflag=0, frame=0x725acff2d338, tstate=<optimized out>) at ./Include/internal/pycore_ceval.h:89
#10 gen_send_ex2 (closing=0, exc=0, presult=<synthetic pointer>, arg=0x0, gen=0x725acff2d2f0) at Objects/genobject.c:230
#11 gen_iternext (gen=0x725acff2d2f0) at Objects/genobject.c:603
#12 0x0000725ad0560504 in PyIter_Next (iter=iter@entry=0x725acff2d2f0) at Objects/abstract.c:2847
#13 0x0000725ad068f1ab in builtin_sum_impl (module=<optimized out>, start=<optimized out>, iterable=<optimized out>) at Python/bltinmodule.c:2565
#14 builtin_sum (module=<optimized out>, args=<optimized out>, nargs=<optimized out>, kwnames=<optimized out>) at Python/clinic/bltinmodule.c.h:1143
#15 0x0000725ad05196e0 in _PyEval_EvalFrameDefault (tstate=<optimized out>, frame=<optimized out>, throwflag=<optimized out>) at ./Include/cpython/methodobject.h:50
#16 0x0000725ad057d733 in _PyObject_VectorcallTstate (kwnames=0x0, nargsf=1, args=0x725ab7ffee18, callable=0x725acff59620, tstate=0x575c3c84ef40) at ./Include/internal/pycore_call.h:92
#17 method_vectorcall (method=<optimized out>, args=0x725ad0a79428 <_PyRuntime+75624>, nargsf=<optimized out>, kwnames=0x0) at Objects/classobject.c:69
#18 0x0000725ad0785eba in thread_run (boot_raw=0x575c3c834740) at ./Modules/_threadmodule.c:1116
#19 0x0000725ad07078fb in pythread_wrapper (arg=<optimized out>) at Python/thread_pthread.h:237
#20 0x0000725ad009caa4 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:447
#21 0x0000725ad0129c6c in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Thread 2 (Thread 0x725ab77fe6c0 (LWP 12851)):
#0  0x0000725ad0098d71 in __futex_abstimed_wait_common64 (private=29274, cancel=true, abstime=0x725ab77fd8f0, op=137, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:57
#1  __futex_abstimed_wait_common (cancel=true, private=29274, abstime=0x725ab77fd8f0, clockid=0, expected=0, futex_word=0x725ad0a798ec <_PyRuntime+76844>) at ./nptl/futex-internal.c:87
#2  __GI___futex_abstimed_wait_cancelable64 (futex_word=futex_word@entry=0x725ad0a798ec <_PyRuntime+76844>, expected=expected@entry=0, clockid=clockid@entry=1, abstime=abstime@entry=0x725ab77fd8f0, private=private@entry=0) at ./nptl/futex-internal.c:139
#3  0x0000725ad009bc8e in __pthread_cond_wait_common (abstime=0x725ab77fd8f0, clockid=1, mutex=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at ./nptl/pthread_cond_wait.c:503
#4  ___pthread_cond_timedwait64 (cond=cond@entry=0x725ad0a798c0 <_PyRuntime+76800>, mutex=mutex@entry=0x725ad0a798f0 <_PyRuntime+76848>, abstime=abstime@entry=0x725ab77fd8f0) at ./nptl/pthread_cond_wait.c:652
#5  0x0000725ad06c4085 in PyCOND_TIMEDWAIT (us=<optimized out>, mut=0x725ad0a798f0 <_PyRuntime+76848>, cond=0x725ad0a798c0 <_PyRuntime+76800>) at Python/condvar.h:73
#6  take_gil (tstate=tstate@entry=0x575c3c8a51f0) at Python/ceval_gil.c:376
#7  0x0000725ad06c4d33 in _Py_HandlePending (tstate=tstate@entry=0x575c3c8a51f0) at Python/ceval_gil.c:1058
#8  0x0000725ad0517202 in _PyEval_EvalFrameDefault (tstate=<optimized out>, frame=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:836
#9  0x0000725ab6f0e00a in ?? ()
#10 0x0000000000000000 in ?? ()

Thread 1 (Thread 0x725ace5fd6c0 (LWP 12846) (Exiting)):
#0  x86_64_fallback_frame_state (context=0x725ace5fc750, fs=0x725ace5fc510) at ./md-unwind-support.h:63
#1  uw_frame_state_for (context=context@entry=0x725ace5fc750, fs=fs@entry=0x725ace5fc510) at ../../../src/libgcc/unwind-dw2.c:1013
#2  0x0000725ab6c86c8a in _Unwind_ForcedUnwind_Phase2 (exc=exc@entry=0x725ace5fdd30, context=context@entry=0x725ace5fc750, frames_p=frames_p@entry=0x725ace5fc658) at ../../../src/libgcc/unwind.inc:162
#3  0x0000725ab6c873c0 in _Unwind_ForcedUnwind (exc=0x725ace5fdd30, stop=stop@entry=0x725ad00a55c0 <unwind_stop>, stop_argument=<optimized out>) at ../../../src/libgcc/unwind.inc:218
#4  0x0000725ad00a57a4 in __GI___pthread_unwind (buf=<optimized out>) at ./nptl/unwind.c:130
#5  0x0000725ad009dd22 in __do_cancel () at ../sysdeps/nptl/pthreadP.h:271
#6  __GI___pthread_exit (value=value@entry=0x0) at ./nptl/pthread_exit.c:36
#7  0x0000725ad0707be9 in PyThread_exit_thread () at Python/thread_pthread.h:370
#8  0x0000725ad06c417b in take_gil (tstate=tstate@entry=0x575c3c885740) at Python/ceval_gil.c:434
#9  0x0000725ad06c4d33 in _Py_HandlePending (tstate=tstate@entry=0x575c3c885740) at Python/ceval_gil.c:1058
#10 0x0000725ad0517202 in _PyEval_EvalFrameDefault (tstate=<optimized out>, frame=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:836
#11 0x0000725ab661e00a in ?? ()
#12 0x0000000000000000 in ?? ()
PoC 
import sys
import threading
import time
import os
#consistent seg fault crash PoC for perf trampoline
def heavy_workload():
    """
    Runs continuous Python bytecode loops.
    This keeps the thread inside the 'py_trampoline_evaluator' function
    in the C runtime, making it vulnerable when the state is freed.
    """
    while True:
        # Simple arithmetic to keep the interpreter busy
        _ = sum(i * i for i in range(500))
        

def trigger_race():
    print(f"[+] PID: {os.getpid()}")
    print("[+] Spawning worker threads to occupy the evaluator...")
    
    # Spawn multiple threads to increase the probability that one is 
    # inside the critical section when we deactivate.
    for _ in range(8):
        t = threading.Thread(target=heavy_workload, daemon=True)
        t.start()

    print("[+] Starting toggle loop (Activate <-> Deactivate)...")
    print("[!] This may take a few seconds to crash the interpreter.")

    iteration = 0

    while True:
        sys.activate_stack_trampoline("perf")
        # No sleep, no prints, just pure race
        sys.deactivate_stack_trampoline()

if __name__ == "__main__":
    trigger_race()

CPython versions tested on:

3.12, 3.14, 3.13

Operating systems tested on:

Linux

Output from running 'python -VV' on the command line:

Python 3.12.12 (main, Dec 22 2025, 15:14:56) [GCC 13.3.0]

Metadata

Metadata

Assignees

No one assigned

    Labels

    interpreter-core(Objects, Python, Grammar, and Parser dirs)type-crashA hard crash of the interpreter, possibly with a core dump

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions