Message 103486 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	abacabadabacaba
Recipients	abacabadabacaba, rhettinger
Date	2010-04-18.12:42:58
SpamBayes Score	8.846092e-09
Marked as misclassified	No
Message-id	<1271594580.99.0.484248787628.issue8420@psf.upfronthosting.co.za>
In-reply-to

Content
This patch still assumes that if so->table didn't change then the table wasn't reallocated (see http://en.wikipedia.org/wiki/ABA_problem). One solution is to check that so->mask didn't change as well. Also, checking that refcnt > 1 is redundant because if entry->key == startkey then there are at least two references: one from entry->key and another from startkey. These functions have a bug that may cause them to refer to deallocated memory when both arguments are sets: set_intersection, set_isdisjoint, set_difference_update_internal, set_difference, set_symmetric_difference_update, set_issubset. These functions may also do the same if the first argument is a set and the second argument is a dict: set_difference, set_symmetric_difference_update. Bugs in set_repr: > keys = PySequence_List((PyObject )so); > if (keys == NULL) > goto done; > > listrepr = PyObject_Repr(keys); > Py_DECREF(keys); List pointed to by keys is already deallocated at this point. > if (listrepr == NULL) { > Py_DECREF(keys); But this code tries to DECREF it. > goto done; > } > newsize = PyUnicode_GET_SIZE(listrepr); > result = PyUnicode_FromUnicode(NULL, newsize); > if (result) { > u = PyUnicode_AS_UNICODE(result); > u++ = '{'; > /* Omit the brackets from the listrepr / > Py_UNICODE_COPY(u, PyUnicode_AS_UNICODE(listrepr)+1, > PyUnicode_GET_SIZE(listrepr)-2); > u += newsize-2; > u++ = '}'; > } > Py_DECREF(listrepr); > if (Py_TYPE(so) != &PySet_Type) { result may be NULL here. > PyObject *tmp = PyUnicode_FromFormat("%s(%U)", > Py_TYPE(so)->tp_name, > result); I think PyUnicode_FromFormat won't like it. > Py_DECREF(result); > result = tmp; > }

This patch still assumes that if so->table didn't change then the table wasn't reallocated (see http://en.wikipedia.org/wiki/ABA_problem). One solution is to check that so->mask didn't change as well. Also, checking that refcnt > 1 is redundant because if entry->key == startkey then there are at least two references: one from entry->key and another from startkey.

These functions have a bug that may cause them to refer to deallocated memory when both arguments are sets: set_intersection, set_isdisjoint, set_difference_update_internal, set_difference, set_symmetric_difference_update, set_issubset.
These functions may also do the same if the first argument is a set and the second argument is a dict: set_difference, set_symmetric_difference_update.

Bugs in set_repr:
> keys = PySequence_List((PyObject *)so);
> if (keys == NULL)
> 	goto done;
> 
> listrepr = PyObject_Repr(keys);
> Py_DECREF(keys);
List pointed to by keys is already deallocated at this point.
> if (listrepr == NULL) {
> 	Py_DECREF(keys);
But this code tries to DECREF it.
> 	goto done;
> }
> newsize = PyUnicode_GET_SIZE(listrepr);
> result = PyUnicode_FromUnicode(NULL, newsize);
> if (result) {
> 	u = PyUnicode_AS_UNICODE(result);
> 	*u++ = '{';
> 	/* Omit the brackets from the listrepr */
> 	Py_UNICODE_COPY(u, PyUnicode_AS_UNICODE(listrepr)+1,
> 			   PyUnicode_GET_SIZE(listrepr)-2);
> 	u += newsize-2;
> 	*u++ = '}';
> }
> Py_DECREF(listrepr);
> if (Py_TYPE(so) != &PySet_Type) {
result may be NULL here.
> 	PyObject *tmp = PyUnicode_FromFormat("%s(%U)",
> 					     Py_TYPE(so)->tp_name,
> 					     result);
I think PyUnicode_FromFormat won't like it.
> 	Py_DECREF(result);
> 	result = tmp;
> }

History
Date	User	Action	Args
2010-04-18 12:43:01	abacabadabacaba	set	recipients: + abacabadabacaba, rhettinger
2010-04-18 12:43:00	abacabadabacaba	set	messageid: <1271594580.99.0.484248787628.issue8420@psf.upfronthosting.co.za>
2010-04-18 12:42:59	abacabadabacaba	link	issue8420 messages
2010-04-18 12:42:58	abacabadabacaba	create