JIT: failed assertion in _POP_TOP_NOP calling str() on variable due to wrong reference information #138431
Description
Crash report
What happened?
It's possible to abort the interpreter by running the following MRE in a patched JIT build. Please let me know whether you can reproduce this issue.
To get this abort, it's necessary to apply this diff before compiling with flags ./configure --with-pydebug --enable-experimental-jit:
diff --git a/Include/internal/pycore_backoff.h b/Include/internal/pycore_backoff.h
index 454c8dde031..9e21c41421a 100644
--- a/Include/internal/pycore_backoff.h
+++ b/Include/internal/pycore_backoff.h
@@ -99,8 +99,8 @@ backoff_counter_triggers(_Py_BackoffCounter counter)
// Must be larger than ADAPTIVE_COOLDOWN_VALUE, otherwise when JIT code is
// invalidated we may construct a new trace before the bytecode has properly
// re-specialized:
-#define JUMP_BACKWARD_INITIAL_VALUE 4095
-#define JUMP_BACKWARD_INITIAL_BACKOFF 12
+#define JUMP_BACKWARD_INITIAL_VALUE 63
+#define JUMP_BACKWARD_INITIAL_BACKOFF 6
static inline _Py_BackoffCounter
initial_jump_backoff_counter(void)
{
@@ -112,8 +112,8 @@ initial_jump_backoff_counter(void)
* Must be larger than ADAPTIVE_COOLDOWN_VALUE,
* otherwise when a side exit warms up we may construct
* a new trace before the Tier 1 code has properly re-specialized. */
-#define SIDE_EXIT_INITIAL_VALUE 4095
-#define SIDE_EXIT_INITIAL_BACKOFF 12
+#define SIDE_EXIT_INITIAL_VALUE 63
+#define SIDE_EXIT_INITIAL_BACKOFF 6
static inline _Py_BackoffCounter
initial_temperature_backoff_counter(void)MRE
def f1():
for x in range(200):
if x == 148:
x = "abcdef"
str(x)
for _ in range(300):
f1()Backtrace:
python: _POP_TOP_NOP.c:121: _Py_CODEUNIT *_JIT_ENTRY(_PyInterpreterFrame *, _PyStackRef *, PyThreadState *): Assertion `PyStackRef_IsNull(value) || (!PyStackRef_RefcountOnObject(value)) || _Py_IsImmortal((PyStackRef_AsPyObjectBorrow(value)))' failed.
Program received signal SIGABRT, Aborted.
Download failed: Invalid argument. Continuing without source file ./nptl/./nptl/pthread_kill.c.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
warning: 44 ./nptl/pthread_kill.c: No such file or directory
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3 0x00007ffff7c4527e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4 0x00007ffff7c288ff in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007ffff7c2881b in __assert_fail_base (fmt=0x7ffff7dd01e8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=assertion@entry=0x7ffff7e15957 "PyStackRef_IsNull(value) || (!PyStackRef_RefcountOnObject(value)) || _Py_IsImmortal((PyStackRef_AsPyObjectBorrow(value)))", file=file@entry=0x7ffff7e159d1 "_POP_TOP_NOP.c", line=line@entry=121,
function=function@entry=0x7ffff7e159e0 "_Py_CODEUNIT *_JIT_ENTRY(_PyInterpreterFrame *, _PyStackRef *, PyThreadState *)")
at ./assert/assert.c:96
#6 0x00007ffff7c3b517 in __assert_fail (
assertion=0x7ffff7e15957 "PyStackRef_IsNull(value) || (!PyStackRef_RefcountOnObject(value)) || _Py_IsImmortal((PyStackRef_AsPyObjectBorrow(value)))", file=0x7ffff7e159d1 "_POP_TOP_NOP.c", line=121,
function=0x7ffff7e159e0 "_Py_CODEUNIT *_JIT_ENTRY(_PyInterpreterFrame *, _PyStackRef *, PyThreadState *)") at ./assert/assert.c:105
#7 0x00007ffff7e14047 in ?? ()
#8 0x0000555555e4f8f2 in ?? ()
#9 0x00007ffff79c7017 in ?? ()
#10 0x0000555555e5f9f0 in ?? ()
#11 0x00007ffff79c7000 in ?? ()
#12 0x00007ffff7e290f8 in ?? ()
#13 0x00007ffff7e29090 in ?? ()
#14 0x0000555555cc3238 in _PyRuntime ()
#15 0x00005555557c7a67 in _PyEval_EvalFrameDefault (tstate=<optimized out>, frame=0x555555cc3238 <_PyRuntime+331128>, throwflag=0)
at Python/generated_cases.c.h:5600
#16 0x00005555557db29b in _PyEval_EvalFrame (tstate=tstate@entry=0x555555cc3238 <_PyRuntime+331128>, frame=frame@entry=0x7ffff7e29020,
throwflag=throwflag@entry=0) at ./Include/internal/pycore_ceval.h:119
#17 0x00005555557db46c in _PyEval_Vector (tstate=tstate@entry=0x555555cc3238 <_PyRuntime+331128>, func=func@entry=0x7ffff7a4a8d0,
--Type <RET> for more, q to quit, c to continue without paging--
locals=locals@entry=0x7ffff7a58470, args=args@entry=0x0, argcount=argcount@entry=0, kwnames=kwnames@entry=0x0)
at Python/ceval.c:1981
#18 0x00005555557db568 in PyEval_EvalCode (co=co@entry=0x7ffff7a40a60, globals=globals@entry=0x7ffff7a58470,
locals=locals@entry=0x7ffff7a58470) at Python/ceval.c:872
Output with PYTHON_LLTRACE=4: lltrace_1771.txt
Output with PYTHON_OPT_DEBUG=4: opt_debug_1771.txt
Found using lafleur.
CPython versions tested on:
CPython main branch
Operating systems tested on:
Linux
Output from running 'python -VV' on the command line:
Python 3.15.0a0 (heads/main-dirty:57eab1b8f78, Sep 3 2025, 06:03:53) [GCC 13.3.0]