3.14.x crashes with tail call interpreter and CFLAGS="-O2 -march=znver2"

[thesamesam]

Crash report

What happened?

Building CPython 3.14.x (3.14.4, say) fails with a crash in _bootstrap_python on x86_64:

$ gdb --args ./_bootstrap_python ./Programs/_freeze_module.py stat ./Lib/stat.py Python/frozen_modules/stat.Dh
Reading symbols from ./_bootstrap_python...
(gdb) r
Starting program: /home/sam/bugs/cpython/Python-3.14.4/_bootstrap_python ./Programs/_freeze_module.py stat ./Lib/stat.py Python/frozen_modules/stat.Dh
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib64/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000555555630552 in PyType_HasFeature (type=type@entry=0xd85d8b4800000115, feature=feature@entry=2048) at ./Include/object.h:795
795         return ((flags & feature) != 0);
(gdb) bt
#0  0x0000555555630552 in PyType_HasFeature (type=type@entry=0xd85d8b4800000115, feature=feature@entry=2048) at ./Include/object.h:795
#1  0x000055555563057a in _PyVectorcall_FunctionInline (callable=callable@entry=0x5555557b3774 <_PyEval_EvalFrameDefault+436>) at ./Include/internal/pycore_call.h:129
#2  0x0000555555630ccf in _PyObject_VectorcallTstate (tstate=0x555555bcb170 <_PyRuntime+346736>, callable=callable@entry=0x5555557b3774 <_PyEval_EvalFrameDefault+436>, args=args@entry=0x7fffffffcb28,
    nargsf=9223372036854775812, kwnames=kwnames@entry=0x0) at ./Include/internal/pycore_call.h:172
#3  0x0000555555631269 in PyObject_Vectorcall (callable=callable@entry=0x5555557b3774 <_PyEval_EvalFrameDefault+436>, args=args@entry=0x7fffffffcb28, nargsf=<optimized out>, kwnames=kwnames@entry=0x0)
    at Objects/call.c:328
#4  0x00005555557b7e77 in _TAIL_CALL_CALL (frame=0x7ffff7faf020, stack_pointer=<optimized out>, tstate=<optimized out>, next_instr=0x22208441324, oparg=3) at Python/generated_cases.c.h:1621
Backtrace stopped: Cannot access memory at address 0xfffffffffffffffb

(I've added noipa in a few places to avoid inlining.)

I can reproduce it with:

$ ./configure --with-tail-call-interp --disable-gil CFLAGS="-O2 -ggdb3"
$ make -j$(nproc) -l$(nproc)

The important thing is that type is a garbage pointer from PyObject_Vectorcall onwards (callable->ob_type is 0xd85d8b4800000115 throughout).

I filed this as a GCC bug before (https://gcc.gnu.org/PR120870) but it's not clear GCC is wrong here, and I've reached the limit of my CPython internals digging abilities. This happens with GCC 16 and GCC trunk.

main works since df35534.

CPython versions tested on:

3.14

Operating systems tested on:

Linux

Output from running 'python -VV' on the command line:

No response

[Fidget-Spinner]

Just checking, does tail calling/preserve_none on GCC 16 corrupt rbp? The interpreter loop requires it for stack checks (it uses _Py_get_machine_stack_pointer or __builtin_frame_address(0)).

I didn't backport the fix to 3.14, but you can see the fix I applied for 3.15 here https://github.com/python/cpython/pull/146524/changes

Without that fix, rbp is required on 3.14 tail calling.

[thesamesam]

It doesn't seem to clobber it and the patch hackily backported doesn't help, sadly.