[issue24069] Option to delete obsolete bytecode files
Steven D'Aprano added the comment: This would be risky, as byte-code only libraries do exist. I think that deleting orphaned .pyc files from inside the __pycache__ directory is safe, but deleting orphaned .pyc files outside of that risks deleting legitimate byte-code libraries which are in use. -- nosy: +steven.daprano ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24069 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24076] sum() several times slower on Python 3
Steven D'Aprano added the comment: Antoine asked: If someone has actual code that suffers from this, it would be good to know about it. You might have missed Ćukasz' earlier comment: In this particular case, there's internal usage at Twitter that unearthed it. The example is just a simplified repro. -- nosy: +steven.daprano ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24076 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24071] Python 2.7.8, 2.7.9 re.MULTILINE failure
R. David Murray added the comment: It is, however, frequently reported as a bug, if that makes you feel any better :) -- nosy: +r.david.murray ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24071 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24109] Documentation for difflib uses optparse
R. David Murray added the comment: It wouldn't be a bad idea. Of course, you'd also need to update Tools/script/diff.py. Tests should be added as well, since we have started adding tests for things in Tools. The tests should be written first, to make sure that the behavior of 'diff' does not change, since I know there are people actively using it (on Windows). I think it would also be a good idea to change the docs so that the actual diff script is embedded in the docs (sphinx has a directive for doing that), rather that duplicating the code. -- nosy: +r.david.murray ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24109 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24092] Use after free in Element.extend (2)
Changes by Serhiy Storchaka storch...@gmail.com: -- nosy: +eli.bendersky, scoder, serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24092 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24093] Use after free in Element.remove
Changes by Serhiy Storchaka storch...@gmail.com: -- nosy: +eli.bendersky, scoder, serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24093 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24066] send_message should take all the addresses in the To: header into account
R. David Murray added the comment: Can you write a test that shows the failure? There is an existing test that demonstrates sending to multiple addresses (testSendMessageWithAddresses), so you must have found an edge case that isn't tested. (Either that, or the existing test is broken.) -- stage: patch review - test needed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24066 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24101] Use after free in siftup
Changes by Raymond Hettinger raymond.hettin...@gmail.com: -- assignee: - rhettinger nosy: +rhettinger ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24101 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24068] statistics module - incorrect results with boolean input
R. David Murray added the comment: I wonder if it would be better to reject Bool data in this context? Bool is only a numeric type for historical reasons. -- nosy: +r.david.murray ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24068 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24060] Clearify necessities for logging with timestamps
R. David Murray added the comment: Sounds good to me. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24060 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24096] Use after free in get_filter
Changes by Serhiy Storchaka storch...@gmail.com: -- nosy: +ezio.melotti, pitrou, rhettinger, serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24096 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24097] Use after free in PyObject_GetState
Changes by Serhiy Storchaka storch...@gmail.com: -- nosy: +alexandre.vassalotti, pitrou, serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24097 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24094] Use after free during json encoding (PyType_IsSubtype)
Changes by Serhiy Storchaka storch...@gmail.com: -- nosy: +ezio.melotti, pitrou, rhettinger, serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24094 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24095] Use after free during json encoding a dict (2)
Changes by Serhiy Storchaka storch...@gmail.com: -- nosy: +ezio.melotti, pitrou, rhettinger, serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24095 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24082] Obsolete note in argument parsing (c-api/arg.rst)
R. David Murray added the comment: The note is still valid concerning the length. (Perhaps Victor should have deprected u instead of fixing it.) -- nosy: +haypo, r.david.murray ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24082 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24052] sys.exit(code) returns success to the OS for some nonzero values of code
R. David Murray added the comment: I meant when it is otherwise out of range. That is, treat it like any other object that can't be returned as the return code: print it. But only if it can't otherwise be used as the exit code. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24052 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24088] yield expression confusion
R. David Murray added the comment: Yes, and it is not using generator function in two different ways: it is literally the case that calling the generator function returns a generator object, which in turn controls the execution of the generator function. The text then goes on to explain how this works. I think it would make sense to change controls execution of a generator function to controls execution of the generator function, but I can't think of any other change that would make things clearer. -- nosy: +r.david.murray ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24088 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24090] Add a copy vale to clipboard option to the debugger
Terry J. Reedy added the comment: As presented, this idea seems out of scope for Idle. First, Idle is concerned with editing code, submitting it for execution, and displaying stdout and seterr output from the execution. Idle normally knows nothing about name bindings created by user code in the user process. The code for menu commands is executed in the Idle process. The code you displayed would have to be executed in the user process as part of user code. Second, your request is for a very specific personal need. Running for i in range(1000): print('a'*100) in 3.4.3 does not make Shell sluggish for me. How much output, on what system, with what version, is a problem for you? However, selecting a 1000 line block -- which is at least as likely to be output (as above) as an output representation -- is not pleasant. A new Select Block option, active in Shell, would be generally useful. The selected block could then be copied. Deletion is not currently possible, but I might like to change that too. The debugger is an exception to Idle's normal ignorance of user code global and local namespaces. The debugger window (which needs upgrading) can display names and object representations of both namespaces. I do not know what it currently does with long representations (say 1000 chars or more), but they are clearly problematical and might best be truncated if not already. Once the debugger has already pulled a string representation into the Idle process. reusing the existing Copy (to clipboard) function should be fairly easy. -- nosy: +terry.reedy title: Add a copy variable to clipboard option to the edit menu - Add a copy vale to clipboard option to the debugger ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24090 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24090] Add a copy value to clipboard option to the debugger
Changes by Terry J. Reedy tjre...@udel.edu: -- title: Add a copy vale to clipboard option to the debugger - Add a copy value to clipboard option to the debugger ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24090 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24068] statistics module - incorrect results with boolean input
Steven D'Aprano added the comment: The patch seems simple and straightforward enough. It just needs some tests, and a Round Tuit. -- assignee: - steven.daprano ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24068 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24106] Messed up indentation makes undesired piece of code being run!
R. David Murray added the comment: Oops. Yes, that's what I meant :) Thanks for the correction and link, Eric. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24106 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24068] statistics module - incorrect results with boolean input
Changes by Steven D'Aprano steve+pyt...@pearwood.info: -- stage: - test needed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24068 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24110] zipfile.ZipFile.write() does not accept bytes arcname
R. David Murray added the comment: We should either make it work with byte filenames, or allow control of the filename encoding. See also issue 20329. Unfortunately that part is probably a new feature. In the meantime the docs should be fixed: I believe we automatically encode the filename using the default zip filename codec (but someone should check). -- nosy: +r.david.murray ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24110 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24110] zipfile.ZipFile.write() does not accept bytes arcname
Serhiy Storchaka added the comment: Indeed, the note is outdated and incorrect. First, general unicode filename are allowed. They are encoded with UTF-8 internally. Second, currently there is no way to create an entry without encoding the filename to UTF-8 (if it is not ASCII-only). So you can't create ZIP file with arbitrary encoding (e.g. cp866) for old DOS/Windows unzippers. Adding support of bytes filenames is different issue (issue10757). -- nosy: +serhiy.storchaka stage: - needs patch versions: -Python 3.6 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24110 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24052] sys.exit(code) returns success to the OS for some nonzero values of code
Steven D'Aprano added the comment: Maybe I've misunderstood RDM's comment, but if sys.exit(code) starts automatically printing the return code, that's going to break a lot of scripts. -- nosy: +steven.daprano ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24052 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24081] Obsolete caveat in reload() docs
R. David Murray added the comment: This generally comes up in the context of a module importing another module, and *that* module fails to import. The first module is left in sys.modules as a stub. Try that experiment, I'm pretty sure that is still true. -- nosy: +r.david.murray ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24081 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24052] sys.exit(code) returns success to the OS for some nonzero values of code
Serhiy Storchaka added the comment: Python 2 prints large return code only by accident, because it have unsupported type (sys.exit supports only int, not long). This is considered as a bug (issue14376) because small return codes of type long (0L or 1L) are printed too. I don't think this issue need other fix besides a note that the program can return success for some non-zero values. -- nosy: +serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24052 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24085] large memory overhead when pyc is recompiled
Changes by Antoine Pitrou pit...@free.fr: -- nosy: +benjamin.peterson, brett.cannon, georg.brandl, ncoghlan ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24085 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24056] Expose closure generator status in function repr()
Terry J. Reedy added the comment: Describing generator functions as such is a great idea. But how about generator function f at 0x7f7dad9f7bf8 Marking closure functions as such is a bit more subtle. However, there ia a real point that closure functions have a hidden input. If it is mutated or rebound, the function will not be deterministic with respect to its overt input arguments. Closure functions are similar to methods in this respect. Await functions (Guido's name choice as of today), if the PEP is approved, will also need to be identified as such. I propose a uniform format of no prefix, a single prefic or a (tuple) of prefixes. -- nosy: +terry.reedy ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24056 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24085] large memory overhead when pyc is recompiled
Serhiy Storchaka added the comment: The use of PYTHONDONTWRITEBYTECODE is not a workaround because it makes your to have memory overhead unconditionally. The compiler needs more momory than require compiled data itself. If this is an issue, I suggest to use different representation for the data: JSON, pickle, or just marshal. Also it may be faster. Try also CSV or custom simple format if it is appropriate. -- nosy: +serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24085 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24102] Multiple type confusions in unicode error handlers
Changes by Serhiy Storchaka storch...@gmail.com: -- components: +Interpreter Core, Unicode nosy: +doerwalter, ezio.melotti, haypo, lemburg, serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24102 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24100] Use after free in siftdown (2)
Changes by Serhiy Storchaka storch...@gmail.com: -- stage: - patch review ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24100 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24099] Use after free in siftdown (1)
Changes by Serhiy Storchaka storch...@gmail.com: -- nosy: +serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24099 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24100] Use after free in siftdown (2)
Changes by Serhiy Storchaka storch...@gmail.com: -- nosy: +serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24100 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24098] Multiple use after frees in obj2ast_* methods
Changes by Serhiy Storchaka storch...@gmail.com: -- nosy: +serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24098 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24105] Use after free during json encoding a dict (3)
Changes by Serhiy Storchaka storch...@gmail.com: -- components: +Extension Modules nosy: +ezio.melotti, pitrou, rhettinger, serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24105 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24105] Use after free during json encoding a dict (3)
Raymond Hettinger added the comment: Please don't file a multiple tracker items for the same module. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24105 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24103] Use after free in xmlparser_setevents (1)
Changes by Serhiy Storchaka storch...@gmail.com: -- components: +XML nosy: +christian.heimes, serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24103 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24104] Use after free in xmlparser_setevents (2)
Changes by Serhiy Storchaka storch...@gmail.com: -- components: +XML nosy: +serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24104 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24101] Use after free in siftup
Changes by Serhiy Storchaka storch...@gmail.com: -- nosy: +serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24101 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24082] Obsolete note in argument parsing (c-api/arg.rst)
Serhiy Storchaka added the comment: About wording see also issue23088. About possible deprecating see issue24009. -- nosy: +serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24082 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24091] Use after free in Element.extend (1)
Changes by Serhiy Storchaka storch...@gmail.com: -- components: +Extension Modules, XML nosy: +eli.bendersky, scoder, serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24091 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24076] sum() several times slower on Python 3
Stefan Behnel added the comment: I tried implementing a freelist. Patch attached, mostly adapted from the one in dictobject.c, but certainly needs a bit of cleanup. The results are not bad, about 10-20% faster: Original: $ ./python -m timeit 'sum(range(1, 10))' 1000 loops, best of 3: 1.86 msec per loop $ ./python -m timeit -s 'l = list(range(1000, 1))' '[(i*2+5) // 7 for i in l]' 1000 loops, best of 3: 1.05 msec per loop With freelist: $ ./python -m timeit 'sum(range(1, 10))' 1000 loops, best of 3: 1.52 msec per loop $ ./python -m timeit -s 'l = list(range(1000, 1))' '[(i*2+5) // 7 for i in l]' 1000 loops, best of 3: 931 usec per loop -- keywords: +patch Added file: http://bugs.python.org/file39245/pylong_freelist.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24076 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24095] Use after free during json encoding a dict (2)
New submission from paul: # Breakpoint 1, encoder_listencode_dict (s=0x405b23fc, acc=0xbfaf96ec, dct=D at remote 0x405c8af4, indent_level=0) # at /home/p/Python-3.4.1/Modules/_json.c:1540 # 1540items = PyMapping_Keys(dct); # (gdb) print *items # $1 = {_ob_next = 0x4059029c, _ob_prev = 0x405c8ab4, ob_refcnt = 1, ob_type = 0x830f1a0 PyLong_Type} # (gdb) n # 1541if (items == NULL) # (gdb) n # 1543if (!PyList_Check(items)) { # (gdb) n # 1547if (PyList_Sort(items) 0) # (gdb) n # 1549nitems = PyList_GET_SIZE(items); # (gdb) n # 1550for (i = 0; i nitems; i++) { # (gdb) n # 1552key = PyList_GET_ITEM(items, i); # (gdb) n # 1553value = PyDict_GetItem(dct, key); # (gdb) n # 1554item = PyTuple_Pack(2, key, value); # (gdb) print *key # $2 = {_ob_next = 0xdbdbdbdb, _ob_prev = 0xdbdbdbdb, ob_refcnt = -606348325, ob_type = 0xdbdbdbdb} # (gdb) n # # Program received signal SIGSEGV, Segmentation fault. # 0x08104047 in PyTuple_Pack (n=2) at Objects/tupleobject.c:216 # 216 Py_INCREF(o); # # We circumvent use after free bug in PyType_IsSubtype (poc_enc_dict1.py) by # returning -1 from the __hash__() method. This way PyDict_GetItem bails # quickly, without triggering the problematic code. # PyTuple_Pack handles a stale key pointer and crashes. Use after free. -- files: poc_enc_dict2.py messages: 242309 nosy: pkt priority: normal severity: normal status: open title: Use after free during json encoding a dict (2) type: crash versions: Python 3.4 Added file: http://bugs.python.org/file39244/poc_enc_dict2.py ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24095 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24098] Multiple use after frees in obj2ast_* methods
New submission from paul: # 3617for (i = 0; i len; i++) { # (gdb) print *(PyListObject*)tmp # $1 = {ob_base = {ob_base = {_ob_next = 0x4056f8f4, _ob_prev = 0x4057329c, ob_refcnt = 2, ob_type = 0x830e1c0 PyList_Type}, # ob_size = 1337}, ob_item = 0x8491ae0, allocated = 1432} # (gdb) n # 3619res = obj2ast_stmt(PyList_GET_ITEM(tmp, i), value, arena); # (gdb) n # 3620if (res != 0) goto failed; # (gdb) print *(PyListObject*)tmp # $2 = {ob_base = {ob_base = {_ob_next = 0x4056f8f4, _ob_prev = 0x4057329c, ob_refcnt = 2, ob_type = 0x830e1c0 PyList_Type}, # ob_size = 1}, ob_item = 0x8491ae0, allocated = 4} # (gdb) c # Continuing. # # Program received signal SIGSEGV, Segmentation fault. # 0x080f2c17 in PyObject_GetAttr (v=unknown at remote 0x405733b4, name='lineno') at Objects/object.c:872 # 872 if (tp-tp_getattro != NULL) # # Objects freed in __getattr__ are used later in the loop above. There are two # bugs actually. One is the use-after-free and the second is using a stale size # variable len to control the for(...) loop. body can be mutated inside # obj2ast_stmt. This construct: for (i = 0; i len; i++) { stmt_ty value; res = obj2ast_stmt(PyList_GET_ITEM(tmp, i), value, arena); if (res != 0) goto failed; asdl_seq_SET(body, i, value); } is repeated multiple times in multiple obj2ast_ methods. It contains two bugs: 1. tmp[i] isn't protected from deletion inside python code (refcnt is not increased by GET_ITEM), 2. tmp's length can drop below len resulting in an OOB read, because the loop counter is static. -- files: poc_obj2mod.py messages: 242315 nosy: pkt priority: normal severity: normal status: open title: Multiple use after frees in obj2ast_* methods type: crash versions: Python 3.4 Added file: http://bugs.python.org/file39249/poc_obj2mod.py ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24098 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24096] Use after free in get_filter
Christian Heimes added the comment: In 3.5 the segfault occurs at #0 0x7073e55e in encoder_listencode_dict (s=s@entry=0x709aa988, acc=acc@entry=0x7fffcf20, dct=dct@entry=D at remote 0x7094b958, indent_level=indent_level@entry=0) at /home/heimes/dev/python/cpython/Modules/_json.c:1686 #1 0x7073ee85 in encoder_listencode_obj (s=s@entry=0x709aa988, acc=acc@entry=0x7fffcf20, obj=D at remote 0x7094b958, indent_level=0) at /home/heimes/dev/python/cpython/Modules/_json.c:1561 #2 0x7073f392 in encoder_call (self=_json.Encoder at remote 0x709aa988, args=(D at remote 0x7094b958, 0), kwds=0x0) at /home/heimes/dev/python/cpython/Modules/_json.c:1386 #3 0x0044edf8 in PyObject_Call (func=func@entry=_json.Encoder at remote 0x709aa988, arg=arg@entry=(D at remote 0x7094b958, 0), kw=kw@entry=0x0) at Objects/abstract.c:2147 #4 0x0052be56 in do_call (func=func@entry=_json.Encoder at remote 0x709aa988, pp_stack=pp_stack@entry=0x7fffd098, na=na@entry=2, nk=nk@entry=0) at Python/ceval.c:4515 #5 0x0053663c in call_function (pp_stack=pp_stack@entry=0x7fffd098, oparg=oparg@entry=2) at Python/ceval.c:4311 -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24096 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24099] Use after free in siftdown (1)
Changes by Christian Heimes li...@cheimes.de: -- nosy: +christian.heimes ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24099 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24098] Multiple use after frees in obj2ast_* methods
Changes by Christian Heimes li...@cheimes.de: -- nosy: +christian.heimes ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24098 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24092] Use after free in Element.extend (2)
Changes by Christian Heimes li...@cheimes.de: -- components: +Extension Modules stage: - needs patch versions: +Python 3.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24092 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24101] Use after free in siftup
New submission from paul: # Breakpoint 1, _siftup (heap=0x4056b344, pos=65534) at /home/p/Python-3.4.1/Modules/_heapqmodule.c:121 # warning: Source file is more recent than executable. # 121 Py_DECREF(PyList_GET_ITEM(heap, pos)); # (gdb) print *heap-ob_item[pos] # $1 = {_ob_next = 0x41812058, _ob_prev = 0x831159c refchain, ob_refcnt = 1, ob_type = 0x4058fd1c} # (gdb) n # 122 PyList_SET_ITEM(heap, pos, newitem); # (gdb) print *heap-ob_item[pos] # Cannot access memory at address 0x3fff8 # (gdb) print *heap # $2 = {ob_base = {ob_base = {_ob_next = 0x4059c0b4, _ob_prev = 0x405903b4, ob_refcnt = 2, ob_type = 0x830e1c0 PyList_Type}, # ob_size = 0}, ob_item = 0x0, allocated = 0} # (gdb) n # # Program received signal SIGSEGV, Segmentation fault. # 0x4002f150 in _siftup (heap=0x4056b344, pos=65534) at /home/p/Python-3.4.1/Modules/_heapqmodule.c:122 # 122 PyList_SET_ITEM(heap, pos, newitem); -- files: poc_siftup.py messages: 242318 nosy: pkt priority: normal severity: normal status: open title: Use after free in siftup type: crash versions: Python 3.4 Added file: http://bugs.python.org/file39252/poc_siftup.py ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24101 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24098] Multiple use after frees in obj2ast_* methods
Changes by Christian Heimes li...@cheimes.de: -- components: +Extension Modules stage: - needs patch versions: +Python 3.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24098 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24097] Use after free in PyObject_GetState
Changes by Christian Heimes li...@cheimes.de: -- components: +Extension Modules stage: - needs patch versions: +Python 3.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24097 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24099] Use after free in siftdown (1)
Changes by Christian Heimes li...@cheimes.de: -- components: +Extension Modules stage: - needs patch versions: +Python 3.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24099 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24096] Use after free in get_filter
Changes by paul paw...@gmail.com: Removed file: http://bugs.python.org/file39246/poc_enc_dict3.py ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24096 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24085] large memory overhead when pyc is recompiled
Anthony Sottile added the comment: I'm still seeing a very large difference: asottile@work:/tmp$ python repro.py ready module 'city_hoods' from '/tmp/city_hoods.pyc' 72604 VmHWM: 72604 kB VmRSS: 60900 kB asottile@work:/tmp$ rm *.pyc; python repro.py ready module 'city_hoods' from '/tmp/city_hoods.py' 1077232 VmHWM: 1077232 kB VmRSS:218040 kB This file is significantly larger than the one attached, not sure if it makes much of a difference. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24085 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24092] Use after free in Element.extend (2)
New submission from paul: # Program received signal SIGSEGV, Segmentation fault. # 0x4063cf19 in element_extend (self=0x405ddf74, args=([],)) at /home/p/Python-3.4.1/Modules/_elementtree.c:1056 # 1056PyObject* element = PySequence_Fast_GET_ITEM(seq, i); # (gdb) print i # $3 = 1337 # (gdb) print *(PyListObject*)seq # $4 = {ob_base = {ob_base = {_ob_next = 0x406373ec, _ob_prev = 0x405ddf74, ob_refcnt = 3, ob_type = 0x830e1c0 PyList_Type}, # ob_size = 0}, ob_item = 0x0, allocated = 0} # # Controlled read (resulting from a use after free). seq is cleared in a custom # destructor (Y.__del__()). # -- files: poc_elt_extend2.py messages: 242306 nosy: pkt priority: normal severity: normal status: open title: Use after free in Element.extend (2) type: crash versions: Python 3.4 Added file: http://bugs.python.org/file39241/poc_elt_extend2.py ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24092 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24104] Use after free in xmlparser_setevents (2)
Changes by Christian Heimes li...@cheimes.de: -- components: +Extension Modules nosy: +christian.heimes stage: - needs patch versions: +Python 3.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24104 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24099] Use after free in siftdown (1)
New submission from paul: # _siftdown(PyListObject *heap, Py_ssize_t startpos, Py_ssize_t pos) # ... # newitem = PyList_GET_ITEM(heap, pos); # Py_INCREF(newitem); # /* Follow the path to the root, moving parents down until finding #a place newitem fits. */ # while (pos startpos){ # parentpos = (pos - 1) 1; # 1 parent = PyList_GET_ITEM(heap, parentpos); # 2 cmp = PyObject_RichCompareBool(newitem, parent, Py_LT); # if (cmp == -1) { # Py_DECREF(newitem); # return -1; # } # 3 if (size != PyList_GET_SIZE(heap)) { # Py_DECREF(newitem); # PyErr_SetString(PyExc_RuntimeError, # list changed size during iteration); # return -1; # } # if (cmp == 0) # break; # 4 Py_INCREF(parent); # ... # # 1. parent isn't protected (refcnt==1) # 2. custom compare function deletes all objects in heap and repopulates it with #fresh instances. parent is freed # 3. check is ineffective. Heap was mutated while preserving its size # 4. use after free. Crash will manifest itself later. -- files: poc_siftdown1.py messages: 242316 nosy: pkt priority: normal severity: normal status: open title: Use after free in siftdown (1) type: crash versions: Python 3.4 Added file: http://bugs.python.org/file39250/poc_siftdown1.py ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24099 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24103] Use after free in xmlparser_setevents (1)
Changes by Christian Heimes li...@cheimes.de: -- components: +Extension Modules stage: - needs patch versions: +Python 3.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24103 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24017] Implemenation of the PEP 492 - Coroutines with async and await syntax
Guido van Rossum added the comment: I think we can continue this discussion *after* the PEP's been accepted. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24017 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24092] Use after free in Element.extend (2)
Changes by Christian Heimes li...@cheimes.de: -- nosy: +christian.heimes ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24092 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24104] Use after free in xmlparser_setevents (2)
New submission from paul: # Program received signal SIGSEGV, Segmentation fault. # 0x4068565c in xmlparser_setevents (self=0x4064b13c, args=([], [S2 at remote 0x4064b0e4])) # at /home/p/Python-3.4.1/Modules/_elementtree.c:3562 # 3562if (PyUnicode_Check(event_name_obj)) { # (gdb) print *event_name_obj # $6 = {_ob_next = 0xdbdbdbdb, _ob_prev = 0xdbdbdbdb, ob_refcnt = -606348325, ob_type = 0xdbdbdbdb} # # # event_name_obj is deleted inside a custom destructor. Use after free. -- files: poc_xml_setevents2.py messages: 242321 nosy: pkt priority: normal severity: normal status: open title: Use after free in xmlparser_setevents (2) type: crash versions: Python 3.4 Added file: http://bugs.python.org/file39255/poc_xml_setevents2.py ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24104 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24085] large memory overhead when pyc is recompiled
Antoine Pitrou added the comment: Which Python version is that? Can you try with 3.4 or 3.5? (is it under GNU/Linux?) This file is significantly larger than the one attached, not sure if it makes much of a difference. Python doesn't make a difference internally, but perhaps it has some impact on your OS' memory management. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24085 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24085] large memory overhead when pyc is recompiled
Antoine Pitrou added the comment: Is there any chance you can upload a script that's large enough to exhibit the problem? (perhaps with anonymized data if there's something sensitive in there) -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24085 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24091] Use after free in Element.extend (1)
New submission from paul: # 1055for (i = 0; i seqlen; i++) { # (gdb) n # 1056PyObject* element = PySequence_Fast_GET_ITEM(seq, i); # (gdb) n # 1057if (!PyObject_IsInstance(element, (PyObject *)Element_Type)) { # (gdb) print *element # $19 = {_ob_next = 0x4060e6fc, _ob_prev = 0x4056cd8c, ob_refcnt = 1, ob_type = 0x406de3e4} # (gdb) n # 1066if (element_add_subelement(self, element) 0) { # (gdb) print *element # $20 = {_ob_next = 0xdbdbdbdb, _ob_prev = 0xdbdbdbdb, ob_refcnt = -606348325, ob_type = 0xdbdbdbdb} # # Fatal Python error: /home/p/Python-3.4.1/Modules/_elementtree.c:267 object at 0x4056c4cc has negative ref count -606348326 # # element is removed in __getattribute__ method. -- files: poc_elt_extend1.py messages: 242305 nosy: pkt priority: normal severity: normal status: open title: Use after free in Element.extend (1) type: crash versions: Python 3.4 Added file: http://bugs.python.org/file39240/poc_elt_extend1.py ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24091 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24097] Use after free in PyObject_GetState
New submission from paul: # Program received signal SIGSEGV, Segmentation fault. # 0x080f27b2 in PyObject_Hash (v=unknown at remote 0x405720e4) at Objects/object.c:746 # 746 if (tp-tp_hash != NULL) # (gdb) bt # #0 0x080f27b2 in PyObject_Hash (v=unknown at remote 0x405720e4) at Objects/object.c:746 # #1 0x080e1717 in PyDict_SetItem (op={}, key=unknown at remote 0x405720e4, value=None) at Objects/dictobject.c:1201 # #2 0x0810e8a0 in _PyObject_GetState (obj=Y at remote 0x405731bc) at Objects/typeobject.c:3657 # #3 0x081100e9 in reduce_2 (obj=Y at remote 0x405731bc) at Objects/typeobject.c:3949 # #4 0x08110551 in _common_reduce (self=Y at remote 0x405731bc, proto=2) at Objects/typeobject.c:4012 # #5 0x08110641 in object_reduce (self=Y at remote 0x405731bc, args=(2,)) at Objects/typeobject.c:4032 # # (gdb) frame 2 # #2 0x0810e8a0 in _PyObject_GetState (obj=Y at remote 0x405731bc) at Objects/typeobject.c:3657 # 3657int err = PyDict_SetItem(slots, name, value); # (gdb) print *name # $1 = {_ob_next = 0xdbdbdbdb, _ob_prev = 0xdbdbdbdb, ob_refcnt = -606348325, ob_type = 0xdbdbdbdb} # # name is freed inside __getattr__ and is later used by PyDict_SetItem. -- files: poc_getstate.py messages: 242313 nosy: pkt priority: normal severity: normal status: open title: Use after free in PyObject_GetState type: crash versions: Python 3.4 Added file: http://bugs.python.org/file39248/poc_getstate.py ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24097 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24091] Use after free in Element.extend (1)
Changes by Christian Heimes li...@cheimes.de: -- nosy: +christian.heimes ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24091 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24100] Use after free in siftdown (2)
New submission from paul: # _siftdown(PyListObject *heap, Py_ssize_t startpos, Py_ssize_t pos) # ... # while (pos startpos){ # parentpos = (pos - 1) 1; # parent = PyList_GET_ITEM(heap, parentpos); # 1 cmp = PyObject_RichCompareBool(newitem, parent, Py_LT); # ... # 2 if (size != PyList_GET_SIZE(heap)) { # Py_DECREF(newitem); # PyErr_SetString(PyExc_RuntimeError, # list changed size during iteration); # return -1; # } # if (cmp == 0) # 3 break; # ... # } # 4 Py_DECREF(PyList_GET_ITEM(heap, pos)); # 5 PyList_SET_ITEM(heap, pos, newitem); # # 1. custom compare function replaces object at index pos with a fresh #instance with refcnt==1 # 2. check is ineffective, since mutation was done without altering size # 3. break out of the loop # 4. refcnt drops to 0 and __del__ method is called. Destructed clears the heap # 5. SET_ITEM doesn't do any bounds checking and does a wild write. # # pos is under our control and is restricted only by the amount of free # memory. pos==X requires heap of size X-1. # # gX global var is necessary. Without it, python crashes in debug checks inside # Py_ForgetReference. Seems like clearing L puts objects in a bad state. # # GDB # --- # Program received signal SIGSEGV, Segmentation fault. # 0x4002ed73 in _siftdown (heap=0x4058edfc, startpos=0, pos=112233) at /home/p/Python-3.4.1/Modules/_heapqmodule.c:58 # 58 PyList_SET_ITEM(heap, pos, newitem); # (gdb) print *heap # $1 = {ob_base = {ob_base = {_ob_next = 0x405913f4, _ob_prev = 0x4058ee6c, ob_refcnt = 2, ob_type = 0x830e1c0 PyList_Type}, # ob_size = 0}, ob_item = 0x0, allocated = 0} # (gdb) print pos # $2 = 112233 -- files: poc_siftdown2.py messages: 242317 nosy: pkt priority: normal severity: normal status: open title: Use after free in siftdown (2) type: crash versions: Python 3.4 Added file: http://bugs.python.org/file39251/poc_siftdown2.py ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24100 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24093] Use after free in Element.remove
Changes by Christian Heimes li...@cheimes.de: -- components: +Extension Modules nosy: +christian.heimes versions: +Python 3.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24093 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24094] Use after free during json encoding (PyType_IsSubtype)
Changes by Christian Heimes li...@cheimes.de: -- components: +Extension Modules nosy: +christian.heimes stage: - needs patch versions: +Python 3.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24094 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24095] Use after free during json encoding a dict (2)
Changes by Christian Heimes li...@cheimes.de: -- components: +Extension Modules nosy: +christian.heimes stage: - needs patch versions: +Python 3.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24095 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24085] large memory overhead when pyc is recompiled
Antoine Pitrou added the comment: Note under 3.x, you need to rm -r __pycache__, not rm *.pyc, since the pyc files are now stored in the __pycache__ subdirectory. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24085 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24085] large memory overhead when pyc is recompiled
Anthony Sottile added the comment: Ah, then 3.4 still has the problem: $ rm -rf __pycache__/ *.pyc; python3.4 repro.py ready module 'city_hoods' from '/tmp/city_hoods.py' 1112892 VmHWM: 1112892 kB VmRSS:127196 kB asottile@work:/tmp$ python3.4 repro.py ready module 'city_hoods' from '/tmp/city_hoods.py' 77468 VmHWM: 77468 kB VmRSS: 65228 kB -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24085 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24085] large memory overhead when pyc is recompiled
Anthony Sottile added the comment: Attached is repro2.py (slightly different so my editor doesn't hate itself when editing the file) I'll attach the other file in another comment since it seems I can only do one at a time -- Added file: http://bugs.python.org/file39257/repro2.py ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24085 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24096] Use after free during json encoding a dict (3)
New submission from paul: # Program received signal SIGSEGV, Segmentation fault. # 0x40036740 in encoder_listencode_dict (s=0x405b43fc, acc=0xbf86438c, dct=D at remote 0x405b2fb4, indent_level=0) # at /home/p/Python-3.4.1/Modules/_json.c:1557 # 1557PyList_SET_ITEM(items, i, item); # (gdb) print *(PyListObject*)items # $1 = {ob_base = {ob_base = {_ob_next = 0x405bcab4, _ob_prev = 0x40591184, ob_refcnt = 2, ob_type = 0x830e1c0 PyList_Type}, # ob_size = 0}, ob_item = 0x0, allocated = 0} # (gdb) print i # $2 = 112233 # # items was cleared in __hash__, so we get a wild write at a controlled address. -- files: poc_enc_dict3.py messages: 242311 nosy: pkt priority: normal severity: normal status: open title: Use after free during json encoding a dict (3) type: crash versions: Python 3.4 Added file: http://bugs.python.org/file39246/poc_enc_dict3.py ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24096 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24101] Use after free in siftup
Changes by Christian Heimes li...@cheimes.de: -- components: +Extension Modules nosy: +christian.heimes stage: - needs patch versions: +Python 3.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24101 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24105] Use after free during json encoding a dict (3)
New submission from paul: # Program received signal SIGSEGV, Segmentation fault. # 0x40036740 in encoder_listencode_dict (s=0x405b43fc, acc=0xbf86438c, dct=D at remote 0x405b2fb4, indent_level=0) # at /home/p/Python-3.4.1/Modules/_json.c:1557 # 1557PyList_SET_ITEM(items, i, item); # (gdb) print *(PyListObject*)items # $1 = {ob_base = {ob_base = {_ob_next = 0x405bcab4, _ob_prev = 0x40591184, ob_refcnt = 2, ob_type = 0x830e1c0 PyList_Type}, # ob_size = 0}, ob_item = 0x0, allocated = 0} # (gdb) print i # $2 = 112233 # # items was cleared in __hash__, so we get a wild write at a controlled address. -- files: poc_enc_dict3.py messages: 242322 nosy: pkt priority: normal severity: normal status: open title: Use after free during json encoding a dict (3) type: crash versions: Python 3.4 Added file: http://bugs.python.org/file39256/poc_enc_dict3.py ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24105 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24085] large memory overhead when pyc is recompiled
Anthony Sottile added the comment: 3.4 seems happier: asottile@work:/tmp$ rm *.pyc; python3.4 repro.py ready module 'city_hoods' from '/tmp/city_hoods.py' 77472 VmHWM: 77472 kB VmRSS: 65228 kB asottile@work:/tmp$ python3.4 repro.py ready module 'city_hoods' from '/tmp/city_hoods.py' 77472 VmHWM: 77472 kB VmRSS: 65232 kB The nasty result above is from 2.7: $ python Python 2.7.6 (default, Mar 22 2014, 22:59:56) [GCC 4.8.2] on linux2 3.3 also seems to have the same exaggerated problem: $ rm *.pyc -f; python3.3 repro.py ready module 'city_hoods' from '/tmp/city_hoods.py' 1112996 VmHWM: 1112996 kB VmRSS:133468 kB asottile@work:/tmp$ python3.3 repro.py ready module 'city_hoods' from '/tmp/city_hoods.py' 81392 VmHWM: 81392 kB VmRSS: 69304 kB $ python3.3 Python 3.3.6 (default, Jan 28 2015, 17:27:09) [GCC 4.8.2] on linux So seems the leaky behaviour was fixed at some point, any ideas of what change fixed it and is there a possibility of backporting it to 2.7? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24085 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24094] Use after free during json encoding (PyType_IsSubtype)
New submission from paul: # Breakpoint 1, encoder_listencode_dict (s=0x405b23fc, acc=0xbfc4038c, dct=D at remote 0x405c8b34, indent_level=0) # at /home/p/Python-3.4.1/Modules/_json.c:1540 # 1540items = PyMapping_Keys(dct); # (gdb) n # 1541if (items == NULL) # (gdb) print *items # $1 = {_ob_next = 0x405c8af4, _ob_prev = 0x4059006c, ob_refcnt = 2, ob_type = 0x830e1c0 PyList_Type} # (gdb) n # 1543if (!PyList_Check(items)) { # (gdb) n # 1547if (PyList_Sort(items) 0) # (gdb) n # 1549nitems = PyList_GET_SIZE(items); # (gdb) n # 1550for (i = 0; i nitems; i++) { # (gdb) print nitems # $2 = 1122 # (gdb) n # 1552key = PyList_GET_ITEM(items, i); # (gdb) n # 1553value = PyDict_GetItem(dct, key); # (gdb) print *key # $3 = {_ob_next = 0x4058eedc, _ob_prev = 0x40590d1c, ob_refcnt = 1, ob_type = 0x405afd1c} # (gdb) n # # Program received signal SIGSEGV, Segmentation fault. # 0x08108825 in PyType_IsSubtype (a=0xdbdbdbdb, b=0x830f1a0 PyLong_Type) at Objects/typeobject.c:1292 # 1292mro = a-tp_mro; # (gdb) bt # #0 0x08108825 in PyType_IsSubtype (a=0xdbdbdbdb, b=0x830f1a0 PyLong_Type) at Objects/typeobject.c:1292 # #1 0x080f22d6 in do_richcompare (v=1337, w=unknown at remote 0x4059006c, op=2) at Objects/object.c:643 # #2 0x080f263d in PyObject_RichCompare (v=1337, w=unknown at remote 0x4059006c, op=2) at Objects/object.c:701 # #3 0x080f26ce in PyObject_RichCompareBool (v=1337, w=unknown at remote 0x4059006c, op=2) at Objects/object.c:723 # #4 0x080df7b5 in lookdict (mp=0x405c8b34, key=unknown at remote 0x4059006c, hash=1337, value_addr=0xbfc40200) # at Objects/dictobject.c:485 # #5 0x080e145d in PyDict_GetItem (op=D at remote 0x405c8b34, key=unknown at remote 0x4059006c) at Objects/dictobject.c:1095 # #6 0x405bf6f9 in encoder_listencode_dict (s=0x405b23fc, acc=0xbfc4038c, dct=D at remote 0x405c8b34, indent_level=0) # # Deleting the object in __hash__() method triggers an use after free in PyType_IsSubtype. -- files: poc_enc_dict1.py messages: 242308 nosy: pkt priority: normal severity: normal status: open title: Use after free during json encoding (PyType_IsSubtype) type: crash versions: Python 3.4 Added file: http://bugs.python.org/file39243/poc_enc_dict1.py ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24094 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24096] Use after free in get_filter
Changes by Christian Heimes li...@cheimes.de: -- components: +Extension Modules nosy: +christian.heimes stage: - needs patch versions: +Python 3.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24096 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24102] Multiple type confusions in unicode error handlers
New submission from paul: # Breakpoint 1, PyUnicodeEncodeError_GetEnd (exc=X at remote 0x405730e4, end=0xbf9e8f7c) at Objects/exceptions.c:1643 # 1643PyObject *obj = get_unicode(((PyUnicodeErrorObject *)exc)-object, # (gdb) s # get_unicode (attr=unknown at remote 0x8c6a120, name=0x82765ea object) at Objects/exceptions.c:1516 # 1516if (!attr) { # (gdb) print *attr # $4 = {_ob_next = 0xfefefefe, _ob_prev = 0xfefefefe, ob_refcnt = -16843010, ob_type = 0xfefefefe} # (gdb) c # Continuing. # # Program received signal SIGSEGV, Segmentation fault. # 0x080bc7d9 in get_unicode (attr=unknown at remote 0x8cbe250, name=0x82765ea object) at Objects/exceptions.c:1521 # 1521if (!PyUnicode_Check(attr)) { # # Type confusion. IsInstance check is ineffective because of custom # __getattribute__ method. Contents of string instance is interpreted as # an exception object. -- files: poc_unicode_errors.py messages: 242319 nosy: pkt priority: normal severity: normal status: open title: Multiple type confusions in unicode error handlers type: crash versions: Python 3.4 Added file: http://bugs.python.org/file39253/poc_unicode_errors.py ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24102 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24103] Use after free in xmlparser_setevents (1)
New submission from paul: # xmlparser_setevents(XMLParserObject *self, PyObject* args) # { # ... # /* clear out existing events */ # Py_CLEAR(target-start_event_obj); # 1 Py_CLEAR(target-end_event_obj); # Py_CLEAR(target-start_ns_event_obj); # Py_CLEAR(target-end_ns_event_obj); # # ... # # seqlen = PySequence_Size(events_seq); # for (i = 0; i seqlen; ++i) { # 3 PyObject *event_name_obj = PySequence_Fast_GET_ITEM(events_seq, i); # ... # # if (event_name == NULL) { # ... # return NULL; # } else if (strcmp(event_name, start) == 0) { # ... # } else if (strcmp(event_name, end) == 0) { # Py_INCREF(event_name_obj); # 2 Py_XDECREF(target-end_event_obj); # target-end_event_obj = event_name_obj; # } # ... # } # ... # } # # This one leverages nested _setevents invocations. First invocation sets # target-end_event_obj to S1 instance. On seconds invocation, # target-end_event_obj has refcnt==1, so DECREF at line 1 triggers S1.__del__(). # Destructor invokes _setevents again and sets target-end_event_obj to a S3 # instance (with refcnt==1). After we return from nested call at line 1, # execution continues until it hits an end element. At line 2 S3.__del__() is # called and it deallocates events_seq. This triggers a controlled OOB (we can # call it a use after free too) read at line 3. We can control a PyObject pointer. # # Program received signal SIGSEGV, Segmentation fault. # 0x4068563b in xmlparser_setevents (self=0x40669e4c, args=([], [])) at /home/p/Python-3.4.1/Modules/_elementtree.c:3560 # 3560PyObject *event_name_obj = PySequence_Fast_GET_ITEM(events_seq, i); # (gdb) print i # $1 = 1337 # (gdb) print *(PyListObject*)events_seq # $2 = {ob_base = {ob_base = {_ob_next = 0x40669df4, _ob_prev = 0x4055f814, ob_refcnt = 3, ob_type = 0x830e1c0 PyList_Type}, # ob_size = 0}, ob_item = 0x0, allocated = 0} # -- files: poc_xml_setevents1.py messages: 242320 nosy: pkt priority: normal severity: normal status: open title: Use after free in xmlparser_setevents (1) type: crash versions: Python 3.4 Added file: http://bugs.python.org/file39254/poc_xml_setevents1.py ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24103 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24096] Use after free in get_filter
paul added the comment: Issue for poc_enc_dict3.py is here: https://bugs.python.org/issue24105 Please ignore first and third message. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24096 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24096] Use after free in get_filter
Christian Heimes added the comment: Thanks Paul! May I ask how you found that many use-after-free bugs? Are you using some sort of tool for static code analysis or fuzzying? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24096 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24085] large memory overhead when pyc is recompiled
Changes by Anthony Sottile asott...@yelp.com: Added file: http://bugs.python.org/file39259/anon_city_hoods.tar.gz ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24085 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24105] Use after free during json encoding a dict (3)
paul added the comment: You want multiple bugs in the same module grouped in one issue? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24105 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24105] Use after free during json encoding a dict (3)
Serhiy Storchaka added the comment: Yes, if they are related. I didn't look at the code close, but at first glance all your recently opened issues look related (may be I wrong). -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24105 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24076] sum() several times slower on Python 3
Stefan Behnel added the comment: I don't think it's irrelevant. Throw-away integers are really not uncommon. For-loops use them quite often, non-trivial arithmetic expressions can create a lot of intermediate temporaries. Speeding up the create-delete cycle of PyLong sounds like a very obvious thing to do. Imagine some code that iterates over a list of integers, applies some calculation to them, and then stores them in a new list, maybe even using a list comprehension or so. If you could speed up the intermediate calculation by avoiding overhead in creating temporary PyLong objects, such code could benefit a lot. I suspect that adding a free-list for single-digit PyLong objects (the most common case) would provide some visible benefit. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24076 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue23572] functools.singledispatch fails when not BaseClass is True
Changes by Paul Moore p.f.mo...@gmail.com: -- nosy: +paul.moore ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue23572 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24078] inspect.getsourcelines ignores context and returns wrong line #
Changes by James Edwards jh...@jheiv.com: -- nosy: +pitrou, yselivanov ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24078 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24107] Add support for retrieving the certificate chain
Christian Heimes added the comment: I have an experimental branch that adds the feature and also exposes the subject public key information. https://github.com/tiran/cpython/tree/feature/x509cert -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24107 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24106] Messed up indentation makes undesired piece of code being run!
New submission from jentyk: In [14]: for i in xrange(10): : if 1==1: : print It's true : else: : print It isn't true. Seriously?? : It's true It's true It's true It's true It's true It's true It's true It's true It's true It's true It isn't true. Seriously?? Is the behaviour intentional? I do not think so... -- components: Interpreter Core messages: 242336 nosy: jentyk priority: normal severity: normal status: open title: Messed up indentation makes undesired piece of code being run! type: behavior versions: Python 2.7 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24106 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24100] Use after free in siftdown (2)
Changes by Raymond Hettinger raymond.hettin...@gmail.com: -- assignee: - rhettinger nosy: +rhettinger ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24100 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24064] Make the property doctstring writeable
Serhiy Storchaka added the comment: If make docstrings writable, it would be good to ensure that they exactly are strings. And if make the property doctstring writable, may be make other docstrings writable? It may be useful for setting the same docstring for Python implementation and C accelerator. -- nosy: +serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24064 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24078] inspect.getsourcelines ignores context and returns wrong line #
James Edwards added the comment: Added Yury (inspect module) and Antoine (PEP 3155) to nosy -- apologies if you're not interested. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24078 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24085] large memory overhead when pyc is recompiled
Antoine Pitrou added the comment: Ok, I can reproduce: $ rm -r __pycache__/; ./python repro2.py ready module 'anon_city_hoods' from '/home/antoine/cpython/opt/anon_city_hoods.py' 1047656 VmHWM: 1047656 kB VmRSS: 50660 kB $ ./python repro2.py ready module 'anon_city_hoods' from '/home/antoine/cpython/opt/anon_city_hoods.py' 77480 VmHWM: 77480 kB VmRSS: 15664 kB My guess is that memory fragmentation prevents the RSS mark to drop any further, though one cannot rule out the possibility of an actual memory leak. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24085 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24085] large memory overhead when pyc is recompiled
Changes by Geoffrey Spear geoffsp...@gmail.com: -- components: +Interpreter Core nosy: +geoffreyspear type: - resource usage versions: +Python 3.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24085 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24064] Make the property doctstring writeable
Changes by Chris Rebert pyb...@rebertia.com: -- nosy: +cvrebert ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24064 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24099] Use after free in siftdown (1)
Changes by Raymond Hettinger raymond.hettin...@gmail.com: -- assignee: - rhettinger nosy: +rhettinger ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24099 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue24078] inspect.getsourcelines ignores context and returns wrong line #
James Edwards added the comment: Inspect could probably be updated to use 3.3's __qualname__ in the case of classes-in-classes; classes-in-functions or functions-in-functions would likely be harder, but I'm not sure it's impossible. -- nosy: +jedwards ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24078 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com