Fuzzer test report access violation for PPMd8 on Windows
miurahr opened this issue · comments
https://github.com/miurahr/pyppmd/pull/33/checks?check_run_id=3268207157
Windows
Python 3.9
py39 run-test-pre: PYTHONHASHSEED='2'
py39 run-test: commands[0] | python -m pytest -vv -s14
============================= test session starts =============================15
platform win32 -- Python 3.9.6, pytest-6.2.4, py-1.10.0, pluggy-0.13.1 -- D:\a\pyppmd\pyppmd\.tox\py39\Scripts\python.EXE
cachedir: .tox\py39\.pytest_cache
hypothesis profile 'default' -> database=DirectoryBasedExampleDatabase('D:\\a\\pyppmd\\pyppmd\\.hypothesis\\examples')
benchmark: 3.4.1 (defaults: timer=time.perf_counter disable_gc=False min_rounds=5 min_time=0.000005 max_time=1.0 calibration_precision=10 warmup=False warmup_iterations=100000)
rootdir: D:\a\pyppmd\pyppmd, configfile: tox.ini
plugins: hypothesis-6.14.5, benchmark-3.4.1, cov-2.12.1
collecting ... collected 22 items
tests/test_benchmark.py::test_benchmark_text_compress[PPMd H-7-6-16777216] SKIPPED
tests/test_benchmark.py::test_benchmark_text_compress[PPMd I-8-8-8388608] SKIPPED
tests/test_benchmark.py::test_benchmark_text_decompress[PPMd H-7-6-16777216] SKIPPED
tests/test_benchmark.py::test_benchmark_text_decompress[PPMd I-8-8-8388608] SKIPPED
tests/test_fuzzer.py::test_ppmd7_fuzzer PASSED
tests/test_fuzzer.py::test_ppmd8_fuzzer Windows fatal exception: access violation
This only happened on #33
This is reborn in main branch now.
Here is a debugger output on windows
Microsoft (R) Windows Debugger Version 10.0.22415.1002 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
*** wait with pending attach
************* Path validation summary **************
Response Time (ms) Location
Deferred symsrv*symsrv.dll*C:\WINDOWS\Symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: symsrv*symsrv.dll*C:\WINDOWS\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00007ff6`eae90000 00007ff6`eaeac000 C:\Users\miura\AppData\Local\Programs\Python\Python39\python.exe
ModLoad: 00007ffc`52f70000 00007ffc`53165000 C:\WINDOWS\SYSTEM32\ntdll.dll
ModLoad: 00007ffc`52d40000 00007ffc`52dfd000 C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ffc`506e0000 00007ffc`509a9000 C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ffc`50cd0000 00007ffc`50dd0000 C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ffc`408b0000 00007ffc`408cb000 C:\Users\miura\AppData\Local\Programs\Python\Python39\VCRUNTIME140.dll
ModLoad: 00007ffc`14ce0000 00007ffc`15152000 C:\Users\miura\AppData\Local\Programs\Python\Python39\python39.dll
ModLoad: 00007ffc`51460000 00007ffc`514cb000 C:\WINDOWS\System32\WS2_32.dll
ModLoad: 00007ffc`51330000 00007ffc`5145a000 C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ffc`45790000 00007ffc`4579a000 C:\WINDOWS\SYSTEM32\VERSION.dll
ModLoad: 00007ffc`520c0000 00007ffc`5215e000 C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ffc`524c0000 00007ffc`5256c000 C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 00007ffc`52a00000 00007ffc`52a9b000 C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ffc`50060000 00007ffc`50078000 C:\WINDOWS\SYSTEM32\CRYPTSP.dll
ModLoad: 00007ffc`4f750000 00007ffc`4f784000 C:\WINDOWS\system32\rsaenh.dll
ModLoad: 00007ffc`506b0000 00007ffc`506d7000 C:\WINDOWS\System32\bcrypt.dll
ModLoad: 00007ffc`50080000 00007ffc`5008c000 C:\WINDOWS\SYSTEM32\CRYPTBASE.dll
ModLoad: 00007ffc`50f50000 00007ffc`50fd3000 C:\WINDOWS\System32\bcryptPrimitives.dll
ModLoad: 00007ffc`41f90000 00007ffc`41f9f000 C:\Users\miura\AppData\Local\Programs\Python\Python39\python3.DLL
ModLoad: 00007ffc`3afe0000 00007ffc`3afe9000 C:\Users\miura\AppData\Local\Programs\Python\Python39\DLLs\_uuid.pyd
ModLoad: 00007ffc`3afc0000 00007ffc`3afd8000 C:\Users\miura\AppData\Local\Programs\Python\Python39\DLLs\_bz2.pyd
ModLoad: 00007ffc`3af90000 00007ffc`3afba000 C:\Users\miura\AppData\Local\Programs\Python\Python39\DLLs\_lzma.pyd
ModLoad: 00007ffc`2a940000 00007ffc`2aa54000 C:\Users\miura\AppData\Local\Programs\Python\Python39\DLLs\unicodedata.pyd
ModLoad: 00007ffc`385f0000 00007ffc`38612000 C:\Users\miura\AppData\Local\Programs\Python\Python39\DLLs\_ctypes.pyd
ModLoad: 00007ffc`52720000 00007ffc`5284a000 C:\WINDOWS\System32\ole32.dll
ModLoad: 00007ffc`52160000 00007ffc`524b5000 C:\WINDOWS\System32\combase.dll
ModLoad: 00007ffc`3af80000 00007ffc`3af8b000 C:\Users\miura\AppData\Local\Programs\Python\Python39\DLLs\libffi-7.dll
ModLoad: 00007ffc`51940000 00007ffc`5196a000 C:\WINDOWS\System32\GDI32.dll
ModLoad: 00007ffc`50dd0000 00007ffc`50df2000 C:\WINDOWS\System32\win32u.dll
ModLoad: 00007ffc`509b0000 00007ffc`50abb000 C:\WINDOWS\System32\gdi32full.dll
ModLoad: 00007ffc`50e50000 00007ffc`50eed000 C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 00007ffc`51120000 00007ffc`512c0000 C:\WINDOWS\System32\USER32.dll
ModLoad: 00007ffc`52930000 00007ffc`529fd000 C:\WINDOWS\System32\OLEAUT32.dll
ModLoad: 00007ffc`52aa0000 00007ffc`52ad0000 C:\WINDOWS\System32\IMM32.DLL
ModLoad: 00007ffc`38340000 00007ffc`38383000 C:\Users\miura\AppData\Local\Programs\Python\Python39\DLLs\_decimal.pyd
ModLoad: 00007ffc`38310000 00007ffc`3833e000 C:\Users\miura\AppData\Local\Programs\Python\Python39\DLLs\_elementtree.pyd
ModLoad: 00007ffc`2fd70000 00007ffc`2fda1000 C:\Users\miura\AppData\Local\Programs\Python\Python39\DLLs\pyexpat.pyd
ModLoad: 00007ffc`37fd0000 00007ffc`37fe3000 C:\Users\miura\AppData\Local\Programs\Python\Python39\DLLs\_hashlib.pyd
ModLoad: 00007ffc`12320000 00007ffc`12668000 C:\Users\miura\AppData\Local\Programs\Python\Python39\DLLs\libcrypto-1_1.dll
ModLoad: 00007ffc`37fa0000 00007ffc`37fb6000 C:\Users\miura\AppData\Local\Programs\Python\Python39\DLLs\_socket.pyd
ModLoad: 00007ffc`4fb20000 00007ffc`4fb5b000 C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL
ModLoad: 00007ffc`385e0000 00007ffc`385ea000 C:\Users\miura\AppData\Local\Programs\Python\Python39\DLLs\select.pyd
ModLoad: 00007ffc`37f90000 00007ffc`37f9e000 C:\Users\miura\AppData\Local\Programs\Python\Python39\DLLs\_zoneinfo.pyd
ModLoad: 00007ffc`37dd0000 00007ffc`37ddb000 C:\Users\miura\Documents\GitHub\pyppmd\build\x64-Debug\venv\lib\site-packages\coverage\tracer.cp39-win_amd64.pyd
ModLoad: 00007ffc`37ce0000 00007ffc`37cf8000 C:\Users\miura\AppData\Local\Programs\Python\Python39\DLLs\_sqlite3.pyd
ModLoad: 00007ffc`1dbb0000 00007ffc`1dd2a000 C:\Users\miura\AppData\Local\Programs\Python\Python39\DLLs\sqlite3.dll
ModLoad: 00007ffc`35dd0000 00007ffc`35de2000 C:\Users\miura\Documents\GitHub\pyppmd\src\pyppmd\c\_ppmd.cp39-win_amd64.pyd
ModLoad: 00007ffc`35b80000 00007ffc`35b98000 C:\Users\miura\Documents\GitHub\pyppmd\build\x64-Debug\venv\lib\site-packages\psutil\_psutil_windows.cp39-win_amd64.pyd
ModLoad: 00007ffc`51320000 00007ffc`51328000 C:\WINDOWS\System32\PSAPI.DLL
ModLoad: 00007ffc`51980000 00007ffc`520bf000 C:\WINDOWS\System32\SHELL32.dll
ModLoad: 00007ffc`4fc90000 00007ffc`4fcdb000 C:\WINDOWS\SYSTEM32\POWRPROF.dll
ModLoad: 00007ffc`2acb0000 00007ffc`2ad04000 C:\WINDOWS\SYSTEM32\pdh.dll
ModLoad: 00007ffc`4fb00000 00007ffc`4fb12000 C:\WINDOWS\SYSTEM32\UMPDC.dll
ModLoad: 00007ffc`4bfc0000 00007ffc`4bfd4000 C:\WINDOWS\SYSTEM32\wtsapi32.dll
ModLoad: 00007ffc`4ef50000 00007ffc`4ef62000 C:\WINDOWS\SYSTEM32\kernel.appcore.dll
(1930.2f80): Unknown exception - code c0000374 (!!! second chance !!!)
ntdll!RtlIsZeroMemory+0x119:
00007ffc`5306f259 eb00 jmp ntdll!RtlIsZeroMemory+0x11b (00007ffc`5306f25b)
[0x0] ntdll!RtlIsZeroMemory + 0x119
[0x1] ntdll!RtlIsZeroMemory + 0xe3
[0x2] ntdll!RtlpNtSetValueKey + 0x4b2
[0x3] ntdll!RtlpNtSetValueKey + 0x79a
[0x4] ntdll!RtlpNtSetValueKey + 0x6421
[0x5] ntdll!RtlGetCurrentServiceSessionId + 0x1895
[0x6] ntdll!RtlGetCurrentServiceSessionId + 0x1324
[0x7] ntdll!RtlFreeHeap + 0x51
[0x8] ucrtbase!free_base + 0x1b
[0x9] python39!_PyEval_EvalFrameDefault + 0x7436
[0xa] python39!_PyEval_EvalFrame + 0x13
[0xb] python39!_PyEval_EvalCode + 0x2b3
[0xc] python39!_PyFunction_Vectorcall + 0x257
[0xd] python39!PyVectorcall_Call + 0xb8
[0xe] python39!_PyObject_Call + 0x29
[0xf] python39!PyObject_Call + 0x30
[0x10] python39!do_call_core + 0x82
[0x0] ntdll!ZwWaitForMultipleObjects + 0x14
[0x1] KERNELBASE!WaitForMultipleObjectsEx + 0xf0
[0x2] KERNELBASE!WaitForMultipleObjects + 0xe
[0x3] KERNEL32!WerpLaunchAeDebug + 0x2caa
[0x4] KERNEL32!WerpLaunchAeDebug + 0x26e6
[0x5] KERNELBASE!UnhandledExceptionFilter + 0x3d9
[0x6] ntdll!memset + 0x13b0
[0x7] ntdll!_C_specific_handler + 0x96
[0x8] ntdll!_chkstk + 0x11f
[0x9] ntdll!RtlRaiseException + 0x434
[0xa] ntdll!KiUserExceptionDispatcher + 0x2e
[0xb] 0x287306267b0
[0xc] _ppmd_cp39_win_amd64 + 0x580e
[0xd] _ppmd_cp39_win_amd64 + 0x604c
[0xe] _ppmd_cp39_win_amd64 + 0x6140
[0xf] ucrtbase!configthreadlocale + 0x92
[0x10] KERNEL32!BaseThreadInitThunk + 0x14
[0x11] ntdll!RtlUserThreadStart + 0x21
[0x0] ntdll!ZwWaitForWorkViaWorkerFactory + 0x14
[0x1] ntdll!TpReleaseCleanupGroupMembers + 0x747
[0x2] KERNEL32!BaseThreadInitThunk + 0x14
[0x3] ntdll!RtlUserThreadStart + 0x21
platform win32 -- Python 3.9.6, pytest-6.2.4, py-1.10.0, pluggy-0.13.1
benchmark: 3.4.1 (defaults: timer=time.perf_counter disable_gc=False min_rounds=5 min_time=0.000005 max_time=1.0 calibration_precision=10 warmup=False warmup_iterations=100000)
rootdir: C:\Users\miura\Documents\GitHub\pyppmd, configfile: pyproject.toml
plugins: hypothesis-6.14.6, benchmark-3.4.1, cov-2.12.1
collected 24 items
tests\test_benchmark.py ...F [ 16%]
tests\test_fuzzer.py .. [ 25%]
tests\test_highlevel_api.py .... [ 41%]
tests\test_ppmd7.py ...... [ 66%]
tests\test_ppmd8.py ..FFWindows fatal exception: access violation
Thread 0x00002f80 (most recent call first):
File "C:\Users\miura\Documents\GitHub\pyppmd\tests\test_ppmd8.py", line 84 in test_ppmd8_encode_decode
File "C:\Users\miura\Documents\GitHub\pyppmd\build\x64-Debug\venv\lib\site-packages\_pytest\python.py", line 183 in pytest_pyfunc_call
File "C:\Users\miura\Documents\GitHub\pyppmd\build\x64-DebuWindows fatal exception: code 0xg\c0000374
venv\lib\site-packages\pluggy\callers.py", line 187 in _multicall
[0xd] _ppmd_cp39_win_amd64 + 0x604c
00007ffc`35dd604c 8bd8 mov ebx, eax
of
00007ffc`35dd6004 c7411800000000 mov dword ptr [rcx+18h], 0
00007ffc`35dd600b 488bf9 mov rdi, rcx
00007ffc`35dd600e 4d8b6f78 mov r13, qword ptr [r15+78h]
00007ffc`35dd6012 4585f6 test r14d, r14d
00007ffc`35dd6015 0f8ece000000 jle _ppmd_cp39_win_amd64+0x60e9 (00007ffc`35dd60e9)
00007ffc`35dd601b 48895c2440 mov qword ptr [rsp+40h], rbx
00007ffc`35dd6020 498b4d08 mov rcx, qword ptr [r13+8]
00007ffc`35dd6024 488b4110 mov rax, qword ptr [rcx+10h]
00007ffc`35dd6028 48394108 cmp qword ptr [rcx+8], rax
00007ffc`35dd602c 0f84b2000000 je _ppmd_cp39_win_amd64+0x60e4 (00007ffc`35dd60e4)
00007ffc`35dd6032 488b4f08 mov rcx, qword ptr [rdi+8]
00007ffc`35dd6036 488b4110 mov rax, qword ptr [rcx+10h]
00007ffc`35dd603a 48394108 cmp qword ptr [rcx+8], rax
00007ffc`35dd603e 0f84a0000000 je _ppmd_cp39_win_amd64+0x60e4 (00007ffc`35dd60e4)
00007ffc`35dd6044 498bcf mov rcx, r15
00007ffc`35dd6047 e8c4f2ffff call _ppmd_cp39_win_amd64+0x5310 (00007ffc`35dd5310)
00007ffc`35dd604c 8bd8 mov ebx, eax
00007ffc`35dd604e 83f8ff cmp eax, 0FFFFFFFFh
00007ffc`35dd6051 0f8488000000 je _ppmd_cp39_win_amd64+0x60df (00007ffc`35dd60df)
00007ffc`35dd6057 83f8fe cmp eax, 0FFFFFFFEh
00007ffc`35dd605a 747c je _ppmd_cp39_win_amd64+0x60d8 (00007ffc`35dd60d8)
00007ffc`35dd605c 837f1400 cmp dword ptr [rdi+14h], 0
00007ffc`35dd6060 7431 je _ppmd_cp39_win_amd64+0x6093 (00007ffc`35dd6093)
00007ffc`35dd6062 85ed test ebp, ebp
00007ffc`35dd6064 7424 je _ppmd_cp39_win_amd64+0x608a (00007ffc`35dd608a)
00007ffc`35dd6066 33ed xor ebp, ebp
00007ffc`35dd6068 83f801 cmp eax, 1
00007ffc`35dd606b 7563 jne _ppmd_cp39_win_amd64+0x60d0 (00007ffc`35dd60d0)
From assemble mnemonics, the access violation is happened inside int c = Ppmd8_DecodeSymbol(cPpmd8); call.
then [0xc] _ppmd_cp39_win_amd64 + 0x580e is 00007ffc`35dd580e 8b4b6c mov ecx, dword ptr [rbx+6Ch]
in
00007ffc`35dd56ca eb0c jmp _ppmd_cp39_win_amd64+0x56d8 (00007ffc`35dd56d8)
00007ffc`35dd56cc 4c8db35c040000 lea r14, [rbx+45Ch]
00007ffc`35dd56d3 be01000000 mov esi, 1
00007ffc`35dd56d8 8b4368 mov eax, dword ptr [rbx+68h]
00007ffc`35dd56db 33d2 xor edx, edx
00007ffc`35dd56dd 448b5b6c mov r11d, dword ptr [rbx+6Ch]
00007ffc`35dd56e1 448bfe mov r15d, esi
00007ffc`35dd56e4 4103f2 add esi, r10d
00007ffc`35dd56e7 f7f6 div eax, esi
00007ffc`35dd56e9 33d2 xor edx, edx
00007ffc`35dd56eb 448bc0 mov r8d, eax
00007ffc`35dd56ee 894368 mov dword ptr [rbx+68h], eax
00007ffc`35dd56f1 418bc3 mov eax, r11d
00007ffc`35dd56f4 41f7f0 div eax, r8d
00007ffc`35dd56f7 448bc8 mov r9d, eax
00007ffc`35dd56fa 413bc2 cmp eax, r10d
00007ffc`35dd56fd 0f829e000000 jb _ppmd_cp39_win_amd64+0x57a1 (00007ffc`35dd57a1)
00007ffc`35dd5703 3bc6 cmp eax, esi
00007ffc`35dd5705 0f838c000000 jae _ppmd_cp39_win_amd64+0x5797 (00007ffc`35dd5797)
00007ffc`35dd570b 418bc0 mov eax, r8d
00007ffc`35dd570e 410fafc2 imul eax, r10d
00007ffc`35dd5712 014370 add dword ptr [rbx+70h], eax
00007ffc`35dd5715 442bd8 sub r11d, eax
00007ffc`35dd5718 450fafc7 imul r8d, r15d
00007ffc`35dd571c 44895b6c mov dword ptr [rbx+6Ch], r11d
00007ffc`35dd5720 44894368 mov dword ptr [rbx+68h], r8d
00007ffc`35dd5724 8b4b70 mov ecx, dword ptr [rbx+70h]
00007ffc`35dd5727 418d0408 lea eax, [r8+rcx]
00007ffc`35dd572b 33c1 xor eax, ecx
00007ffc`35dd572d 3d00000001 cmp eax, 1000000h
00007ffc`35dd5732 7214 jb _ppmd_cp39_win_amd64+0x5748 (00007ffc`35dd5748)
00007ffc`35dd5734 4181f800800000 cmp r8d, 8000h
00007ffc`35dd573b 7330 jae _ppmd_cp39_win_amd64+0x576d (00007ffc`35dd576d)
00007ffc`35dd573d f7d9 neg ecx
00007ffc`35dd573f 81e1ff7f0000 and ecx, 7FFFh
00007ffc`35dd5745 894b68 mov dword ptr [rbx+68h], ecx
00007ffc`35dd5748 488b4378 mov rax, qword ptr [rbx+78h]
00007ffc`35dd574c 488bc8 mov rcx, rax
00007ffc`35dd574f ff10 call qword ptr [rax]
00007ffc`35dd5751 8b4b6c mov ecx, dword ptr [rbx+6Ch]
00007ffc`35dd5754 c1636808 shl dword ptr [rbx+68h], 8
00007ffc`35dd5758 448b4368 mov r8d, dword ptr [rbx+68h]
00007ffc`35dd575c c1e108 shl ecx, 8
00007ffc`35dd575f 0fb6c0 movzx eax, al
00007ffc`35dd5762 0bc8 or ecx, eax
00007ffc`35dd5764 c1637008 shl dword ptr [rbx+70h], 8
00007ffc`35dd5768 894b6c mov dword ptr [rbx+6Ch], ecx
00007ffc`35dd576b ebb7 jmp _ppmd_cp39_win_amd64+0x5724 (00007ffc`35dd5724)
00007ffc`35dd576d 66410136 add word ptr [r14], si
00007ffc`35dd5771 0f1f4000 nop dword ptr [rax]
00007ffc`35dd5775 6666660f1f840000000000 nop word ptr [rax+rax]
00007ffc`35dd5780 83c7ff add edi, 0FFFFFFFFh
00007ffc`35dd5783 488b4cfd20 mov rcx, qword ptr [rbp+rdi*8+20h]
00007ffc`35dd5788 0fb601 movzx eax, byte ptr [rcx]
00007ffc`35dd578b c644042000 mov byte ptr [rsp+rax+20h], 0
00007ffc`35dd5790 75ee jne _ppmd_cp39_win_amd64+0x5780 (00007ffc`35dd5780)
00007ffc`35dd5792 e949feffff jmp _ppmd_cp39_win_amd64+0x55e0 (00007ffc`35dd55e0)
00007ffc`35dd5797 b8feffffff mov eax, 0FFFFFFFEh
00007ffc`35dd579c e9f2000000 jmp _ppmd_cp39_win_amd64+0x5893 (00007ffc`35dd5893)
00007ffc`35dd57a1 488b7d20 mov rdi, qword ptr [rbp+20h]
00007ffc`35dd57a5 488d4d20 lea rcx, [rbp+20h]
00007ffc`35dd57a9 0fb65701 movzx edx, byte ptr [rdi+1]
00007ffc`35dd57ad 413bd1 cmp edx, r9d
00007ffc`35dd57b0 7713 ja _ppmd_cp39_win_amd64+0x57c5 (00007ffc`35dd57c5)
00007ffc`35dd57b2 488b7908 mov rdi, qword ptr [rcx+8]
00007ffc`35dd57b6 488d4908 lea rcx, [rcx+8]
00007ffc`35dd57ba 0fb64701 movzx eax, byte ptr [rdi+1]
00007ffc`35dd57be 03d0 add edx, eax
00007ffc`35dd57c0 413bd1 cmp edx, r9d
00007ffc`35dd57c3 76ed jbe _ppmd_cp39_win_amd64+0x57b2 (00007ffc`35dd57b2)
00007ffc`35dd57c5 0fb64701 movzx eax, byte ptr [rdi+1]
00007ffc`35dd57c9 2bd0 sub edx, eax
00007ffc`35dd57cb 410fafd0 imul edx, r8d
00007ffc`35dd57cf 015370 add dword ptr [rbx+70h], edx
00007ffc`35dd57d2 442bda sub r11d, edx
00007ffc`35dd57d5 440fafc0 imul r8d, eax
00007ffc`35dd57d9 44895b6c mov dword ptr [rbx+6Ch], r11d
00007ffc`35dd57dd 44894368 mov dword ptr [rbx+68h], r8d
00007ffc`35dd57e1 8b4b70 mov ecx, dword ptr [rbx+70h]
00007ffc`35dd57e4 418d0408 lea eax, [r8+rcx]
00007ffc`35dd57e8 33c1 xor eax, ecx
00007ffc`35dd57ea 3d00000001 cmp eax, 1000000h
00007ffc`35dd57ef 7214 jb _ppmd_cp39_win_amd64+0x5805 (00007ffc`35dd5805)
00007ffc`35dd57f1 4181f800800000 cmp r8d, 8000h
00007ffc`35dd57f8 7330 jae _ppmd_cp39_win_amd64+0x582a (00007ffc`35dd582a)
00007ffc`35dd57fa f7d9 neg ecx
00007ffc`35dd57fc 81e1ff7f0000 and ecx, 7FFFh
00007ffc`35dd5802 894b68 mov dword ptr [rbx+68h], ecx
00007ffc`35dd5805 488b4378 mov rax, qword ptr [rbx+78h]
00007ffc`35dd5809 488bc8 mov rcx, rax
00007ffc`35dd580c ff10 call qword ptr [rax]
00007ffc`35dd580e 8b4b6c mov ecx, dword ptr [rbx+6Ch]
00007ffc`35dd5811 c1636808 shl dword ptr [rbx+68h], 8
00007ffc`35dd5815 448b4368 mov r8d, dword ptr [rbx+68h]
00007ffc`35dd5819 c1e108 shl ecx, 8
00007ffc`35dd581c 0fb6c0 movzx eax, al
00007ffc`35dd581f 0bc8 or ecx, eax
00007ffc`35dd5821 c1637008 shl dword ptr [rbx+70h], 8
00007ffc`35dd5825 894b6c mov dword ptr [rbx+6Ch], ecx
00007ffc`35dd5828 ebb7 jmp _ppmd_cp39_win_amd64+0x57e1 (00007ffc`35dd57e1)
00007ffc`35dd582a 410fb64e02 movzx ecx, byte ptr [r14+2]
00007ffc`35dd582f 80f907 cmp cl, 7
00007ffc`35dd5832 731c jae _ppmd_cp39_win_amd64+0x5850 (00007ffc`35dd5850)
These code from 00007ffc`35dd5805 can be interpreted as static void RangeDec_Decode
call qword ptr [rax] // tmp3 = IByteIn_Read(p->Stream.In)
mov ecx, dword ptr [rbx+6Ch] // (load from p->Code)
shl dword ptr [rbx+68h], 8 // p->Range <<=8
mov r8d, dword ptr [rbx+68h] // (store result)
shl ecx, 8 // tmp1 = p->Code << 8
movzx eax, al // (load Byte into eax)
or ecx, eax // tmp2 = (p->Code <<8 ) | tmp3
shl dword ptr [rbx+70h], 8 // p->Low <<=8
mov dword ptr [rbx+6Ch], ecx // p->Code = (result)
p->Code = (p->Code << 8) | IByteIn_Read(p->Stream.In);
p->Range <<= 8;
p->Low <<= 8;
As a result of investigation, when thread-2 call IByteIn_Read(), it has been gone.
It is set on static PyObject * Ppmd8Decoder_decode(Ppmd8Decoder *self, PyObject *args, PyObject *kwargs) in _ppmdmodule.c
L1397 reader.Read = (Byte (*)(void *)) TReader;
it is critical section but not guarded.
Now this case is resolved, but there are still the cases.
I'd like to close here and open another issue.