JIT: Segfault at `binary_op1`

[devdanzin]

Crash report

What happened?

It's possible to segfault a JIT build by running the code below:

def f1():
    t = (1,)
    for x in range(50):
        p = x % len(t)

for i in range(5000):
    print(i)
    f1()

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
binary_op1 (v=0x7ffff6c1bf40, w=0x6, op_slot=op_slot@entry=24) at Objects/abstract.c:947
947         if (!Py_IS_TYPE(w, Py_TYPE(v)) && Py_TYPE(w)->tp_as_number != NULL) {

#0  binary_op1 (v=0x7ffff6c1bf40, w=0x6, op_slot=op_slot@entry=24) at Objects/abstract.c:947
#1  0x000055555562e6d4 in binary_op (v=0x7ffff6c1bf40, w=0x555555aec228 <PyList_Type>, op_slot=24, op_name=<optimized out>) at Objects/abstract.c:1005
#2  PyNumber_Remainder (v=0x7ffff6c1bf40, w=0x555555aec228 <PyList_Type>) at Objects/abstract.c:1189
#3  0x00007ffff7e4aeee in ?? ()
#4  0x00007fffffffd560 in ?? ()
#5  0x00007ffff7fa301f in ?? ()
#6  0x0000555555a62210 in _PyEval_EvalFrameDefault.opcode_targets_table ()
#7  0x0000555555b6e0f0 in _PyRuntime ()
#8  0x00007ffff6d0f19c in ?? ()
#9  0x0000555555a61a10 in _Py_SpecialMethods ()
#10 0x0000555555a61a10 in _Py_SpecialMethods ()
#11 0x000055555577cbbb in _PyEval_EvalFrameDefault (tstate=<error reading variable: Cannot access memory at address 0xffffffffffffffc0>, frame=<optimized out>, throwflag=<optimized out>)
    at Python/generated_cases.c.h:5348
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

Output from running with PYTHON_LLTRACE=4 PYTHON_OPT_DEBUG=4:
166_segfault_lltrace_opt_debug.txt

Found using lafleur.

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Output from running 'python -VV' on the command line:

Python 3.15.0a3+ (heads/main:1391ee664c8, Dec 18 2025, 21:09:23) [Clang 21.1.2 (2ubuntu6)]

Linked PRs

• gh-142961: Fix constant folding len(tuple) in JIT #142962
• gh-142961: Fix constant folding len(tuple) in JIT #142963