Re: use after free in python notmuch2 bindings

Subject:Re: use after free in python notmuch2 bindings

Date:Fri, 07 Jan 2022 09:06:42 -0400


From:David Bremner

David Bremner <> writes:

> I've been attempting to port nmweb to the new bindings, but I got stuck
> on a bug that segfaults python. I attached a reduced version that
> reproduces the problem for me. It uses recent messages from the notmuch
> list; it others can't reproduce let me know and I will try to make
> something more self contained including a message set.

Attached is a slightly simpler (and more informative) reproducer

It produces the the following output for me

7f23164b6cd0 <notmuch2.Thread object at 0x7f23164b6cd0> <cdata 'struct _notmuch_message *' 0x137a000>
     7f23164b6a90 <NotmuchIter> <cdata 'struct _notmuch_message *' 0x13636f0>
         7f23164b6910 <NotmuchIter>
  <cdata 'struct _notmuch_message *' 0x139a6b0>
             7f23164c3070 <NotmuchIter>
  <cdata 'struct _notmuch_message *' 0x139b8e0>
             7f23164c30d0 <NotmuchIter> <cdata 'struct _notmuch_message *' 0x13636f0>
     7f23164b68e0 <NotmuchIter> <cdata 'struct _notmuch_message *' 0x139a6b0>
         7f23164b6a00 <NotmuchIter> <cdata 'struct _notmuch_message *' 0x139b8e0>
zsh: IOT instruction  python3

The IOT instruction is actually talloc aborting. If I leave in the call
to msg.header, it segfaults as before.

I noticed that the message struct 0x139b8e0 is visited twice, once as
part of the thread and once as part of reply-to-reply-to-reply.

I think the issue here is that bindings destroy the iterator for
replies, but the library docs say

 * The returned list will be destroyed when the thread is
 * destroyed.

Perhaps that needs to be worded more strongly, to forbid the user from
calling notmuch_messages_destroy. I still need to untangle the intended
ownership semantics to be sure.

notmuch mailing list --
To unsubscribe send an email to