[issue31764] sqlite3.Cursor.close() crashes in case the Cursor object is uninitialized
Oren Milman <ore...@gmail.com> added the comment: I opened #4333 for 2.7, but it is quite straightforward.. Am i missing something? -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31764> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31764] sqlite3.Cursor.close() crashes in case the Cursor object is uninitialized
Change by Oren Milman <ore...@gmail.com>: -- pull_requests: +4288 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31764> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31486] calling a _json.Encoder object raises a SystemError in case obj.items() returned a tuple
Oren Milman <ore...@gmail.com> added the comment: ISTM that PR 3840 resolved this issue (as part of bpo-28280). -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31486> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31758] various refleaks in _elementtree, and crashes when using an uninitialized XMLParser object
Change by Oren Milman <ore...@gmail.com>: -- pull_requests: +3972 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31758> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31758] various refleaks in _elementtree, and crashes when using an uninitialized XMLParser object
Oren Milman <ore...@gmail.com> added the comment: According to Serhiy's advice (https://bugs.python.org/issue31455#msg304338), this issue now also includes some crashes in _elementtree: The following code crashes: import _elementtree parser = _elementtree.XMLParser.__new__(_elementtree.XMLParser) parser.close() This is because _elementtree_XMLParser_close_impl() assumes that the XMLParser object is initialized, and so it passes `self` to expat_parse(), which assumes that `self->parser` is valid, and crashes. Similarly, calling feed(), _parse_whole() or _setevents(), or reading the `entity` or `target` attribute of an uninitialized XMLParser object would result in a crash. ISTM that PR 3956 is more complex, and already not so small, so i would soon open another PR to fix these crashes. -- title: various refleaks in _elementtree -> various refleaks in _elementtree, and crashes when using an uninitialized XMLParser object type: resource usage -> crash ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31758> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31787] various refleaks when calling the __init__() method of an object more than once
Change by Oren Milman <ore...@gmail.com>: -- keywords: +patch pull_requests: +3971 stage: -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31787> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31787] various refleaks when calling the __init__() method of an object more than once
New submission from Oren Milman <ore...@gmail.com>:
Various __init__() methods don't decref (if needed) before assigning to fields
of the object's struct (i.e. assigning to `self->some_field`):
- _asyncio_Task___init___impl() (in Modules/_asynciomodule.c)
- _lzma_LZMADecompressor___init___impl() (in Modules/_lzmamodule.c)
- _bz2_BZ2Decompressor___init___impl() (in Modules/_bz2module.c)
- EVP_tp_init() (in Modules/_hashopenssl.c)
- property_init_impl() (in Objects/descrobject.c)
- cm_init() (in Objects/funcobject.c)
- sm_init() (in Objects/funcobject.c)
For example, _asyncio_Task___init___impl() does `self->task_coro = coro;`
instead of `Py_XSETREF(self->task_coro, coro);`.
Thus, the following code would result in at least one refleak:
import _asyncio
task = _asyncio.Task('foo')
task.__init__('foo')
I would open a PR to fix this soon.
--
components: Extension Modules
messages: 304389
nosy: Oren Milman
priority: normal
severity: normal
status: open
title: various refleaks when calling the __init__() method of an object more
than once
type: resource usage
versions: Python 3.7
___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue31787>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31781] crashes when calling methods of an uninitialized zipimport.zipimporter object
Change by Oren Milman <ore...@gmail.com>: -- keywords: +patch pull_requests: +3962 stage: -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31781> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31781] crashes when calling methods of an uninitialized zipimport.zipimporter object
New submission from Oren Milman <ore...@gmail.com>:
The following code crashes:
import zipimport
zi = zipimport.zipimporter.__new__(zipimport.zipimporter)
zi.find_module('foo')
This is because get_module_info() (in Modules/zipimport.c) assumes that the
zipimporter object is initialized, so it assumes that `self->prefix` is not
NULL, and passes it to make_filename(), which crashes.
get_module_code() makes the same assumption, and
zipimport_zipimporter_get_data_impl()
assumes that `self->archive` is not NULL, and passes it to
PyUnicode_GET_LENGTH(),
which crashes.
Thus, every method of an uninitialized zipimporter object might crash.
I would open a PR to fix this soon.
--
components: Extension Modules
messages: 304346
nosy: Oren Milman
priority: normal
severity: normal
status: open
title: crashes when calling methods of an uninitialized zipimport.zipimporter
object
type: crash
versions: Python 3.7
___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue31781>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31779] assertion failures and a crash when using an uninitialized struct.Struct object
Change by Oren Milman <ore...@gmail.com>: -- keywords: +patch pull_requests: +3960 stage: -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31779> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31779] assertion failures and a crash when using an uninitialized struct.Struct object
New submission from Oren Milman <ore...@gmail.com>: The following code causes an assertion failure: import _struct struct_obj = _struct.Struct.__new__(_struct.Struct) struct_obj.iter_unpack(b'foo') This is because Struct_iter_unpack() (in Modules/_struct.c) assumes that Struct.__init__() was called, and so it does `assert(self->s_codes != NULL);`. The same happens in (almost) every method of Struct, and in s_get_format(), so in all them, too, we would get an assertion failure in case of an uninitialized Struct object. The exception is __sizeof__(), which doesn't have an `assert`, and simply crashes while trying to iterate over `self->s_codes`. I would open a PR to fix this soon. -- components: Extension Modules messages: 304328 nosy: Oren Milman priority: normal severity: normal status: open title: assertion failures and a crash when using an uninitialized struct.Struct object type: crash versions: Python 3.7 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31779> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31455] ElementTree.XMLParser() mishandles exceptions
Oren Milman <ore...@gmail.com> added the comment: Serhiy, in addition to the problems you mentioned with not calling __init__(), it seems that calling every method of an uninitialized XMLParser object would crash. If you don't mind, i would be happy to open an issue to fix these crashes. -- nosy: +Oren Milman ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31455> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31758] various refleaks in _elementtree
Oren Milman <ore...@gmail.com> added the comment: Shame on me. I only now found out that Serhiy already mentioned most of the refleaks in https://bugs.python.org/issue31455#msg302103. -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31758> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31770] crash and refleaks when calling sqlite3.Cursor.__init__() more than once
Change by Oren Milman <ore...@gmail.com>: -- keywords: +patch pull_requests: +3946 stage: -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31770> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31770] crash and refleaks when calling sqlite3.Cursor.__init__() more than once
New submission from Oren Milman <ore...@gmail.com>:
The following code crashes:
import sqlite3
import weakref
def callback(*args):
pass
connection = sqlite3.connect(":memory:")
cursor = sqlite3.Cursor(connection)
ref = weakref.ref(cursor, callback)
cursor.__init__(connection)
del cursor
del ref
IIUC, this is because pysqlite_cursor_init() (in Modules/_sqlite/cursor.c) sets
`self->in_weakreflist` to NULL, and thus corrupts the weakref list. Later,
clear_weakref() (in Objects/weakrefobject.c) tries to remove a reference from
the corrupted list, and crashes.
In every other place (that i saw) where such a weakreflist field is used, it is
set to NULL right after allocating the object (usually in __new__()), or just
not set at all, e.g. in `functools.partial`.
So since PyType_GenericNew() is the __new__() of sqlite3.Cursor, ISTM that the
simplest solution is to not touch `self->in_weakreflist` at all in
pysqlite_cursor_init().
Also, the following code results in refleaks:
import sys
import sqlite3
connection = sqlite3.connect(":memory:")
cursor = sqlite3.Cursor(connection)
refcount_before = sys.gettotalrefcount()
cursor.__init__(connection)
print(sys.gettotalrefcount() - refcount_before) # should be close to 0
This is because pysqlite_cursor_init() doesn't decref before assigning to
fields of `self`.
I would open a PR to fix this soon.
--
components: Extension Modules
messages: 304220
nosy: Oren Milman
priority: normal
severity: normal
status: open
title: crash and refleaks when calling sqlite3.Cursor.__init__() more than once
type: crash
versions: Python 3.7
___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue31770>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31764] sqlite3.Cursor.close() crashes in case the Cursor object is uninitialized
Change by Oren Milman <ore...@gmail.com>: -- keywords: +patch pull_requests: +3934 stage: -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31764> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31764] sqlite3.Cursor.close() crashes in case the Cursor object is uninitialized
New submission from Oren Milman <ore...@gmail.com>: The following code causes a crash: import sqlite3 cursor = sqlite3.Cursor.__new__(sqlite3.Cursor) cursor.close() this is because pysqlite_cursor_close() (in Modules/_sqlite/cursor.c) assumes that `self->connection` is not NULL, and passes it to pysqlite_check_thread(), which crashes. I would open a PR to fix this soon. -- components: Extension Modules messages: 304172 nosy: Oren Milman priority: normal severity: normal status: open title: sqlite3.Cursor.close() crashes in case the Cursor object is uninitialized type: crash versions: Python 3.7 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31764> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31758] various refleaks in _elementtree
Change by Oren Milman <ore...@gmail.com>: -- keywords: +patch pull_requests: +3931 stage: needs patch -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31758> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31758] various refleaks in _elementtree
New submission from Oren Milman <ore...@gmail.com>:
The following code results in refleaks:
import sys
import _elementtree
builder = _elementtree.TreeBuilder()
parser = _elementtree.XMLParser(target=builder)
refcount_before = sys.gettotalrefcount()
parser.__init__(target=builder)
print(sys.gettotalrefcount() - refcount_before) # should be close to 0
This is because _elementtree_XMLParser___init___impl()
(in Modules/_elementtree.c) doesn't decref before assigning to fields of
`self`.
The following code also results in refleaks:
import sys
import _elementtree
elem = _elementtree.Element(42)
elem.__setstate__({'tag': 42, '_children': list(range(1000))})
refcount_before = sys.gettotalrefcount()
elem.__setstate__({'tag': 42, '_children': []})
print(sys.gettotalrefcount() - refcount_before) # should be close to -1000
This is because element_setstate_from_attributes() doesn't decref the old
children before storing the new children.
I would open a PR to fix this soon.
--
components: XML
messages: 304145
nosy: Oren Milman
priority: normal
severity: normal
status: open
title: various refleaks in _elementtree
type: resource usage
versions: Python 3.7
___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue31758>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31490] assertion failure in ctypes in case an _anonymous_ attr appears outside _fields_
Change by Oren Milman <ore...@gmail.com>: -- pull_requests: +3927 stage: resolved -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31490> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31271] an assertion failure in io.TextIOWrapper.write
Change by Oren Milman <ore...@gmail.com>: -- pull_requests: +3926 stage: backport needed -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31271> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31728] crashes in _elementtree due to unsafe decrefs of Element.text and Element.tail
Change by Oren Milman <ore...@gmail.com>: -- pull_requests: +3925 stage: backport needed -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31728> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31722] _io.IncrementalNewlineDecoder doesn't inherit codecs.IncrementalDecoder
Change by Oren Milman <ore...@gmail.com>: -- keywords: +patch pull_requests: +3918 stage: -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31722> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31740] refleaks when calling sqlite3.Connection.__init__() more than once
Oren Milman <ore...@gmail.com> added the comment: (opened bpo-31746 for the crashes i mentioned) -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31740> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31746] crashes in sqlite3.Connection in case it is uninitialized or partially initialized
New submission from Oren Milman <ore...@gmail.com>:
The following code causes a crash:
import sqlite3
connection = sqlite3.Connection.__new__(sqlite3.Connection)
connection.isolation_level
This is because pysqlite_connection_get_isolation_level() doesn't check whether
the Connection object is initialized.
pysqlite_connection_close() also doesn't check that, so we would get a crash
also if we replaced `connection.isolation_level` with `connection.close()`.
pysqlite_connection_set_isolation_level() doesn't crash in case of an
uninitialized Connection object, but it also doesn't raise an error, and IMHO
it should.
The following code causes a crash, too:
import sqlite3
try:
connection = sqlite3.Connection.__new__(sqlite3.Connection)
connection.__init__('', isolation_level='invalid isolation level')
except ValueError:
pass
connection.cursor()
This is because `self->initialized` is set to 1 in the beginning of
pysqlite_connection_init(), so after it fails, we are left with a partially
initialized Connection object whose `self->initialized` is 1. Thus,
pysqlite_connection_cursor() thinks that the Connection object is initialized.
Eventually pysqlite_connection_register_cursor() is called, and it crashes
while trying to append to `connection->cursors`, which is NULL.
--
components: Extension Modules
messages: 304047
nosy: Oren Milman
priority: normal
severity: normal
status: open
title: crashes in sqlite3.Connection in case it is uninitialized or partially
initialized
type: crash
versions: Python 3.7
___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue31746>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31740] refleaks when calling sqlite3.Connection.__init__() more than once
Change by Oren Milman <ore...@gmail.com>: -- keywords: +patch pull_requests: +3917 stage: -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31740> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31728] crashes in _elementtree due to unsafe decrefs of Element.text and Element.tail
Oren Milman <ore...@gmail.com> added the comment:
As serhiy pointed out in a comment in PR 3924, setting self->text or self->tail
to
NULL might lead to an assertion failure, so we should also prevent the following
assertion failure (and the similar one for tail):
import xml.etree.ElementTree
class X:
def __del__(self):
elem.text
elem = xml.etree.ElementTree.Element('elem')
elem.text = X()
elem.__setstate__({'tag': None}) # implicitly also set elem.text to None
--
___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue31728>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31740] refleaks when calling sqlite3.Connection.__init__() more than once
Oren Milman <ore...@gmail.com> added the comment: Ah, here also there are crashes when calling methods of uninitialized connection objects. Should i fix this as part of this issue, or open another one? -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31740> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31740] refleaks when calling sqlite3.Connection.__init__() more than once
New submission from Oren Milman <ore...@gmail.com>:
The following code causes refleaks:
import sqlite3
connection = sqlite3.Connection.__new__(sqlite3.Connection)
connection.__init__('foo')
connection.__init__('foo')
This is because pysqlite_connection_init() (in Modules/_sqlite/connection.c)
doesn't decref (if needed) before assigning to various fields of `self`.
I would open a PR to fix this soon.
--
components: Extension Modules
messages: 303997
nosy: Oren Milman
priority: normal
severity: normal
status: open
title: refleaks when calling sqlite3.Connection.__init__() more than once
type: resource usage
versions: Python 3.7
___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue31740>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31734] crash or SystemError in sqlite3.Cache in case it is uninitialized or partially initialized
Change by Oren Milman <ore...@gmail.com>: -- keywords: +patch pull_requests: +3912 stage: -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31734> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31723] refleaks in zipimport when calling zipimporter.__init__() more than once
Oren Milman <ore...@gmail.com> added the comment: Yes, i am going manually over the code to find similar stuff to #31718, and i afraid i found quite a few, and still working on it.. -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31723> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31734] crash or SystemError in sqlite3.Cache in case it is uninitialized or partially initialized
Oren Milman <ore...@gmail.com> added the comment: Also, the following code results in a memory leak: import sqlite3 cache = sqlite3.Cache.__new__(sqlite3.Cache) This is because pysqlite_cache_dealloc() just returns in case of an uninitialized Cache object. -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31734> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31734] crash or SystemError in sqlite3.Cache in case it is uninitialized or partially initialized
New submission from Oren Milman <ore...@gmail.com>:
The following code causes a crash:
import sqlite3
cache = sqlite3.Cache.__new__(sqlite3.Cache)
cache.get(None)
This is because pysqlite_cache_get() (in Modules/_sqlite/cache.c) assumes that
the Cache object is initialized, and so it passes self->mapping to
PyDict_GetItem(), which assumes it is not NULL, and crashes.
Also, the following code causes a SystemError ('null argument to internal
routine'), as well as refleaks in the deallocation of the Cache object:
import sqlite3
cache = sqlite3.Cache(str)
try:
cache.__init__()
except TypeError:
pass
cache.get(None)
This is because pysqlite_cache_init() first sets self->factory to NULL, and
only then parses its arguments, so in case it fails to parse the arguments
(e.g. due to a wrong number of arguments) we are left with a partially
initialized Cache object.
While we are here, we should also fix refleaks that occur when
sqlite3.Cache.__init__() is called more than once.
--
components: Extension Modules
messages: 303958
nosy: Oren Milman
priority: normal
severity: normal
status: open
title: crash or SystemError in sqlite3.Cache in case it is uninitialized or
partially initialized
type: crash
versions: Python 3.7
___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue31734>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31728] crashes in _elementtree due to unsafe decrefs of Element.text and Element.tail
Change by Oren Milman <ore...@gmail.com>: -- keywords: +patch pull_requests: +3897 stage: -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31728> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31728] crashes in _elementtree due to unsafe decrefs of Element.text and Element.tail
New submission from Oren Milman <ore...@gmail.com>:
The following code causes the interpreter to crash:
import xml.etree.ElementTree
class X:
def __del__(self):
elem.clear()
elem = xml.etree.ElementTree.Element('elem')
elem.text = X()
elem.clear()
This is because _elementtree_Element_clear_impl() decrefs self->text in an
unsafe manner.
For the same reason, but for self->tail, a crash would happen if we replaced
'elem.text = X()' with 'elem.tail = X()'.
Similarly, the following code also causes the interpreter to crash:
import xml.etree.ElementTree
class X:
def __del__(self):
elem.clear()
elem = xml.etree.ElementTree.Element('elem')
elem.text = X()
elem.text = X()
This is because element_text_setter() decrefs self->text in an unsafe manner.
element_tail_setter() does the same for self->tail, so again, if we replaced
'elem.text = X()' with 'elem.tail = X()', we would also get a crash.
--
components: XML
messages: 303917
nosy: Oren Milman
priority: normal
severity: normal
status: open
title: crashes in _elementtree due to unsafe decrefs of Element.text and
Element.tail
type: crash
versions: Python 3.7
___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue31728>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31723] refleaks in zipimport when calling zipimporter.__init__() more than once
Change by Oren Milman <ore...@gmail.com>: -- keywords: +patch pull_requests: +3892 stage: -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31723> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31723] refleaks in zipimport when calling zipimporter.__init__() more than once
New submission from Oren Milman <ore...@gmail.com>:
The following code causes refleaks:
import zipimport
zi = zipimport.zipimporter.__new__(zipimport.zipimporter)
zi.__init__('bar.zip')
zi.__init__('bar.zip')
zi.__init__('bar.zip\\foo')
This is because zipimport_zipimporter___init___impl() (in Modules/zipimport.c)
doesn't decref (if needed) before assigning to `self->files`, `self->archive`
and `self->prefix`.
I would open a PR to fix this soon.
Should i add a test to test_zipimport?
If yes, could you point out some similar refcount test to help me write this
test?
--
components: Extension Modules
messages: 303883
nosy: Oren Milman
priority: normal
severity: normal
status: open
title: refleaks in zipimport when calling zipimporter.__init__() more than once
type: resource usage
versions: Python 3.7
___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue31723>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31721] assertion failure in FutureObj_finalize() after setting _log_traceback to True
New submission from Oren Milman <ore...@gmail.com>: The following code causes an assertion failure in FutureObj_finalize() (in Modules/_asynciomodule.c): import asyncio asyncio.Future()._log_traceback = True Maybe we should allow Python code to only set it to False, and raise a ValueError in case Python code tries to set it to True? (PR 2050 made _log_traceback writable. Are there any usecases for setting it to True from Python code?) -- components: asyncio messages: 303878 nosy: Oren Milman, yselivanov priority: normal severity: normal status: open title: assertion failure in FutureObj_finalize() after setting _log_traceback to True type: crash versions: Python 3.7 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31721> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31718] some methods of uninitialized io.IncrementalNewlineDecoder objects raise SystemError
Oren Milman <ore...@gmail.com> added the comment: With regard to refleaks in __init__() methods, i started looking for similar refleaks in the codebase, and hope to open an issue to fix them soon. -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31718> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31718] some methods of uninitialized io.IncrementalNewlineDecoder objects raise SystemError
Change by Oren Milman <ore...@gmail.com>: -- keywords: +patch pull_requests: +3886 stage: -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31718> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31718] some methods of uninitialized io.IncrementalNewlineDecoder objects raise SystemError
Oren Milman <ore...@gmail.com> added the comment: Yes, although i don't know if there are usecases for that. -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31718> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31718] some methods of uninitialized io.IncrementalNewlineDecoder objects raise SystemError
New submission from Oren Milman <ore...@gmail.com>:
Given an uninitialized IncrementalNewlineDecoder:
uninitialized =
io.IncrementalNewlineDecoder.__new__(io.IncrementalNewlineDecoder)
each of the following calls would raise a SystemError ('null argument to
internal routine'):
uninitialized.getstate()
uninitialized.setstate((b'foo', 0))
uninitialized.reset()
In contrast, the following call would raise a ValueError
('IncrementalNewlineDecoder.__init__ not called'):
uninitialized.decode(b'bar')
ISTM that getstate(), setstate(), and reset() should have the same behavior as
decode(). (Though i think that including the actual type name in the error
message would be better, as it could be a subclass of
IncrementalNewlineDecoder).
--
components: IO
messages: 303842
nosy: Oren Milman
priority: normal
severity: normal
status: open
title: some methods of uninitialized io.IncrementalNewlineDecoder objects raise
SystemError
type: behavior
versions: Python 3.7
___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue31718>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31165] null pointer deref and segfault in list_slice (listobject.c:455)
Oren Milman <ore...@gmail.com> added the comment: Oh, and calls to PyObject_GC_NewVar() might also cause similar issues. -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31165> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31092] multiprocessing.Manager() race condition
Oren Milman <ore...@gmail.com> added the comment: Davin and Antoine, i added you to the nosy list because you are listed as multiprocessing experts :) -- nosy: +davin, pitrou ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31092> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31165] null pointer deref and segfault in list_slice (listobject.c:455)
Oren Milman <ore...@gmail.com> added the comment: Here is some similar code that crashes for the same reasons: # create a circular reference with a malicious __del__(). class A: def __del__(*args): del list1[0] circ_ref_obj = A() circ_ref_obj._self = circ_ref_obj list1 = [None] list2 = [] del circ_ref_obj while len(list2) < 1: list2.append(list1[:]) IIUC, list_slice() first finds the boundaries of the slice and its length, and then calls PyList_New(). But PyList_New() might call PyObject_GC_New(), which eventually causes a call to _PyObject_GC_Alloc(), which might call collect_generations(), which causes the malicious __del__() to run. After __del__() empties the list, list_slice() continues to run, but the list's boundaries it found earlier are now invalid, and so it tries to read the first element in the now empty list, and crashes. Maybe we should prevent collection of garbage with circular references (that has __del__() or weakref callbacks) from PyObject_GC_New()? ISTM there might be a lot of places with similar issues. (e.g. if we replace 'list2.append(list1[:])' with 'list2.append(list1[::-1])', we get a crash in list_subscript()). So i think that fixing each of them would be harder and might even introduce a regression in performance. -- nosy: +Oren Milman ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31165> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31092] multiprocessing.Manager() race condition
Oren Milman <ore...@gmail.com> added the comment: Prof Plum, i changed the type of the issue to 'behavior', because Lang and me both got a KeyError. if your interpreter actually crashed, please change it back to 'crash'. -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31092> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31092] multiprocessing.Manager() race condition
Oren Milman <ore...@gmail.com> added the comment: IIUC: In Lang's example, doing `queue = None` caused the destruction of the shared queue, which caused a call to BaseProxy._decref() (in multiprocessing/managers.py), which dispatched a decref request to the manager's server process. Meanwhile, the pool's worker process (in function worker() in multiprocessing/pool.py) tries to retrieve a task from its task queue, by calling inqueue.get(). The get() method unpickles the first pickled task in the queue, which is the function and arguments that we passed to apply_async(). The unpickling of the shared queue causes creating a proxy object for the shared queue, in which BaseProxy.__init__() is called, which calls BaseProxy._incref(), which dispatches an incref request to the manager's server process. Unfortunately, the decref request gets to the server before the incref request. So when the server receives the decref request (in Server.handle_request()), and accordingly calls Server.decref(), the refcount of the shared queue in the server is 1, so the refcount is decremented to 0, and the shared queue is disposed. Then, when the server receives the incref request, it tries to increment the refcount of the shared queue (in Server.incref()), but can't find it in its refcount dict, so it raises the KeyError. (If, for example, you added a 'sleep(0.5)' before the call to dispatch() in BaseProxy._decref(), the incref request would win the race, and the KeyError wouldn't be raised.) Should we fix this? Or is it the responsibility of the user to not destroy shared objects too soon? (In that case, maybe we should mention it in the docs?) The situation in the example of Prof Plum is similar. Also, note that this issue is not specific to using pool workers or to Manager.Queue. For example, we get a similar error (for similar reasons) in this code: from multiprocessing import Process, Manager from time import sleep if __name__ == '__main__': with Manager() as manager: shared_list = manager.list() p = Process(target=sorted, args=(shared_list,)) p.start() # sleep(0.5) shared_list = None p.join() -- components: +Library (Lib) nosy: +Oren Milman type: crash -> behavior versions: +Python 3.7 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31092> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31683] a stack overflow on windows in faulthandler._fatal_error()
New submission from Oren Milman <ore...@gmail.com>: On my 64-bit Windows 10, the echo here would print -1073741571: python -c "import faulthandler; faulthandler._fatal_error(b'a' * 2 ** 22)" echo %errorlevel% This is code c0fd, which windbg describes as 'Stack overflow'. This happens because Py_FatalError() (in Python/pylifecycle.c) does the following (on Windows only): len = strlen(msg); /* Convert the message to wchar_t. This uses a simple one-to-one conversion, assuming that the this error message actually uses ASCII only. If this ceases to be true, we will have to convert. */ buffer = alloca( (len+1) * (sizeof *buffer)); for( i=0; i<=len; ++i) buffer[i] = msg[i]; Note that (IIUC) running the aforementioned cmd wouldn't cause a post-mortem debugger to pop-up, because faulthandler_fatal_error_py() (in Modules/faulthandler.c) first calls faulthandler_suppress_crash_report(), and then calls Py_FatalError(). -- components: Extension Modules messages: 303651 nosy: Oren Milman, haypo priority: normal severity: normal status: open title: a stack overflow on windows in faulthandler._fatal_error() type: crash versions: Python 3.7 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31683> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31271] an assertion failure in io.TextIOWrapper.write
Oren Milman <ore...@gmail.com> added the comment: I am not sure, but ISTM that it isn't possible for the encoder to return a unicode and not fail later. This is because _textiowrapper_writeflush() would call _io.BytesIO.write() (after it called _PyBytes_Join()), and bytesio_write() calls PyObject_GetBuffer(), which would raise "TypeError: 'unicode' does not have the buffer interface". -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31271> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31271] an assertion failure in io.TextIOWrapper.write
Oren Milman <ore...@gmail.com> added the comment: sure -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31271> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21983] segfault in ctypes.cast
Change by Oren Milman <ore...@gmail.com>: -- versions: +Python 2.7, Python 3.4 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue21983> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21983] segfault in ctypes.cast
Change by Oren Milman <ore...@gmail.com>: -- versions: +Python 3.7 -Python 2.7, Python 3.4 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue21983> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21983] segfault in ctypes.cast
Change by Oren Milman <ore...@gmail.com>: -- keywords: +patch pull_requests: +3839 stage: -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue21983> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue29832] Don't refer to getsockaddrarg in error messages
Oren Milman <ore...@gmail.com> added the comment: Should i remove the code that i wasn't able to test from the PR, and leave such changes to someone that is able to test it? (of course, if there is some way i can do it using a VM, please point that out, and i would try to set up this VM.) -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue29832> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue21983] segfault in ctypes.cast
Oren Milman <ore...@gmail.com> added the comment: IMHO, Lib/ctypes/test/test_cast.py is the relevant test. Mark, do you still wish to provide a fix for that? (Otherwise, i would be happy to open a PR.) -- nosy: +Oren Milman ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue21983> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31478] assertion failure in random.seed() in case the seed argument has a bad __abs__() method
Change by Oren Milman <ore...@gmail.com>: -- pull_requests: +3826 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31478> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue28280] Always return a list from PyMapping_Keys/PyMapping_Values/PyMapping_Items
Change by Oren Milman <ore...@gmail.com>: -- keywords: +patch pull_requests: +3821 stage: -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue28280> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue28280] Always return a list from PyMapping_Keys/PyMapping_Values/PyMapping_Items
Oren Milman <ore...@gmail.com> added the comment: (for knowledge preservation's sake) Resolving this issue would also resolve #31486. -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue28280> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue28280] Always return a list from PyMapping_Keys/PyMapping_Values/PyMapping_Items
Oren Milman <ore...@gmail.com> added the comment: I would be happy to write a PR that implements that. However, i am not sure which way is better to construct a list from the return value (an iterable, hopefully) of keys() etc.: - Call PyList_Type() (in each of PyMapping_Keys() etc.) on the iterable, and overwrite the error message in case it is a TypeError. - Write a helper function iterable_as_list(), which uses PyObject_GetIter() and PySequence_List(), and call it in each of PyMapping_Keys() etc.. (iterable_as_list() would receive "keys" etc., so that it would raise the appropriate error message, in case of a TypeError.) ISTM that the first one is simpler, but I am not sure about the performance difference between them. ------ nosy: +Oren Milman ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue28280> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31285] a SystemError and an assertion failure in warnings.warn_explicit()
Change by Oren Milman <ore...@gmail.com>: -- pull_requests: +3808 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31285> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue29843] errors raised by ctypes.Array for invalid _length_ attribute
Change by Oren Milman <ore...@gmail.com>: -- pull_requests: +3807 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue29843> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31637] integer overflow in the size of a ctypes.Array
Change by Oren Milman <ore...@gmail.com>: -- resolution: -> duplicate stage: -> resolved status: open -> closed ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31637> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31637] integer overflow in the size of a ctypes.Array
Oren Milman <ore...@gmail.com> added the comment: oh, i missed that. sorry. -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31637> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31637] integer overflow in the size of a ctypes.Array
New submission from Oren Milman <ore...@gmail.com>:
The following code:
from ctypes import *
from _testcapi import PY_SSIZE_T_MAX, LONG_MAX
if LONG_MAX == PY_SSIZE_T_MAX == (1 << 31) - 1:
class MyArray(Array):
_type_ = c_longlong
_length_ = 1 << 29
arr = MyArray()
for i in range(3):
arr[i] = i
for i in range(3):
print(arr[i])
Produces this output (on a 32bit Python on my Windows 10):
2
2
2
This is because PyCArrayType_new() (in Modules/_ctypes/_ctypes.c) raises a
"array too large" error in case (length * itemsize < 0). However, this
multiplication might also overflow to a non-negative number, e.g. to zero in
the code above.
PyCArrayType_new() then does:
stgdict->size = itemsize * length;
Array_ass_item() and Array_item() both do:
size = stgdict->size / stgdict->length;
offset = index * size;
So in the above code, the integer overflow caused the array to collapse to a
single element (the first element).
ISTM that we can fix this by changing the overflow detection logic to this:
assert(itemsize >= 0 && length >= 0);
array_size = itemsize * length;
if (itemsize && array_size / itemsize != length) {
PyErr_SetString(PyExc_OverflowError,
"array too large");
goto error;
}
The assertion is guaranteed to be true after #29843 is resolved. (I would open
a PR for #29843 soon.)
--
components: ctypes
messages: 303322
nosy: Oren Milman
priority: normal
severity: normal
status: open
title: integer overflow in the size of a ctypes.Array
type: behavior
versions: Python 3.7
___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue31637>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31285] a SystemError and an assertion failure in warnings.warn_explicit()
Oren Milman <ore...@gmail.com> added the comment: But in case get_source() returned a unicode, is it likely that the splitlines() method of this unicode would return a 8-bit string? Currently show_warning() doesn't handle this scenario, as it assumes splitlines() returned an 8-bit string. Or do you think that show_warning() should also accept unicode? -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31285> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31285] a SystemError and an assertion failure in warnings.warn_explicit()
Oren Milman <ore...@gmail.com> added the comment: oh, of course, checking that get_source() returned a string before passing it to str.splitlines() is not needed. -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31285> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31285] a SystemError and an assertion failure in warnings.warn_explicit()
Oren Milman <ore...@gmail.com> added the comment: Another thought - the existing code assumes that splitlines() returned a string. So maybe we could just check that get_source() returned a string, and then call the method str.splitlines() on it? -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31285> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31285] a SystemError and an assertion failure in warnings.warn_explicit()
Oren Milman <ore...@gmail.com> added the comment: In 2.7, PyUnicode_Splitlines() first does: string = PyUnicode_FromObject(string); So i thought that PyUnicode_Splitlines() would be fine with receiving a string. But now i realize that even in case i was right there, PyUnicode_Splitlines() returns a unicode, and not a string, so there should be problems later. I wonder how the tests still passed.. -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31285> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31285] a SystemError and an assertion failure in warnings.warn_explicit()
Change by Oren Milman <ore...@gmail.com>: -- pull_requests: +3791 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31285> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31285] a SystemError and an assertion failure in warnings.warn_explicit()
Change by Oren Milman <ore...@gmail.com>: -- pull_requests: +3789 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31285> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue28129] assertion failures in ctypes
Oren Milman <ore...@gmail.com> added the comment: Shouldn't we close this issue? -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue28129> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31478] assertion failure in random.seed() in case the seed argument has a bad __abs__() method
Oren Milman <ore...@gmail.com> added the comment:
With regard to backporting to 2.7:
In 2.7 also, PyNumber_Absolute() is called, and its return value is stored in
the variable n.
However, there is no _PyLong_NumBits(n), so there is no assertion failure.
If n isn't an integer:
- if !PyObject_IsTrue(n), then the seed is zero (e.g. if n is None, [], () or
{})
- otherwise, PyNumber_And() and PyNumber_Rshift() are used in a loop on n, so
probably a TypeError would be raised.
So I think a backport is still desirable, but i am not sure about the test.
Maybe we should use @cpython_only, and make sure that no error is raised?
We can also make sure that random() returns a different value than when the
seed is zero.
What do you think?
--
___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue31478>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue15988] Inconsistency in overflow error messages of integer argument
Oren Milman <ore...@gmail.com> added the comment: Serhiy, you suggested in https://bugs.python.org/issue15988#msg289799 that uploading diff files here is more convenient than in a github PR, so I uploaded my fixes here, and so https://github.com/python/cpython/pull/668 is now outdated, and merging it isn't really relevant (while in its current state). Should I open some smaller PRs? or should I combine all my patches and update https://github.com/python/cpython/pull/668 ? -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue15988> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31605] meta issue: bugs.python.org search shows only issues with recent activity
Oren Milman <ore...@gmail.com> added the comment: fixed indeed. thanks! :) -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31605> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31605] meta issue: bugs.python.org search shows only issues with recent activity
Oren Milman <ore...@gmail.com> added the comment: thanks :) opened http://psf.upfronthosting.co.za/roundup/meta/issue642 -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31605> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31531] crash and SystemError in case of a bad zipimport._zip_directory_cache
Oren Milman <ore...@gmail.com> added the comment:
Yet another code that causes a SystemError:
import zipimport
importer = zipimport.zipimporter('foo.zip')
tup_as_list =
list(zipimport._zip_directory_cache['foo.zip']['foo\\__init__.py'])
tup_as_list[0] = None
zipimport._zip_directory_cache['foo.zip']['foo\\__init__.py'] =
tuple(tup_as_list)
importer.load_module('foo')
This could be fixed by checking in get_code_from_data() whether modpath is a
string.
--
___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue31531>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue6986] _json crash on scanner/encoder initialization error
Change by Oren Milman <ore...@gmail.com>: -- pull_requests: +3775 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue6986> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue6986] _json crash on scanner/encoder initialization error
Oren Milman <ore...@gmail.com> added the comment: I would be happy to open such a PR, if you don't mind. -- nosy: +Oren Milman ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue6986> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31608] crash in methods of a subclass of _collections.deque with a bad __new__()
Change by Oren Milman <ore...@gmail.com>: -- keywords: +patch pull_requests: +3774 stage: -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31608> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31608] crash in methods of a subclass of _collections.deque with a bad __new__()
New submission from Oren Milman <ore...@gmail.com>: The following code causes the interpreter to crash: import _collections class BadDeque(_collections.deque): def __new__(cls, *args): if len(args): return 42 return _collections.deque.__new__(cls) BadDeque() * 42 (The interpreter would crash also if we replaced 'BadDeque() * 42' with 'BadDeque() + _collections.deque([42])'.) This is because deque_copy() (in Modules/_collectionsmodule.c) returns whatever BadDeque() returned, without verifying it is a deque. deque_repeat() assumes that deque_copy() returned a deque, and passes it to deque_inplace_repeat(), which assumes it is a deque, and crashes. (Similarly, deque_concat() assumes that deque_copy() returned a deque, which is the reason for the other crash.) ISTM it is a very unlikely corner case, so that adding a test (as well as a NEWS.d item) for it is unnecessary. What do you think? -- components: Extension Modules messages: 303125 nosy: Oren Milman priority: normal severity: normal status: open title: crash in methods of a subclass of _collections.deque with a bad __new__() type: crash versions: Python 3.7 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31608> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31588] SystemError in class creation in case of a metaclass with a bad __prepare__() method
Oren Milman <ore...@gmail.com> added the comment:
Nick, maybe you tried to reproduce in release?
In debug (where I got the SystemError), you have in the beginning of
_PyFrame_New_NoTrack():
#ifdef Py_DEBUG
if (code == NULL || globals == NULL || !PyDict_Check(globals) ||
(locals != NULL && !PyMapping_Check(locals))) {
PyErr_BadInternalCall();
return NULL;
}
--
___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue31588>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31605] meta issue: bugs.python.org search shows only issues with recent activity
Change by Oren Milman <ore...@gmail.com>: -- nosy: +ezio.melotti ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31605> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31605] meta issue: bugs.python.org search shows only issues with recent activity
Oren Milman <ore...@gmail.com> added the comment: I am not 100% sure that issues are showed because they had a recent activity, but ISTM like the reason.. -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31605> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31605] meta issue: bugs.python.org search shows only issues with recent activity
New submission from Oren Milman <ore...@gmail.com>: For example, when I search for 'ctypes', I get only two results. Just in case, i checked and got the same results in multiple browsers, and also on Ubuntu and on Windows. -- components: Demos and Tools messages: 303114 nosy: Oren Milman priority: normal severity: normal status: open title: meta issue: bugs.python.org search shows only issues with recent activity type: behavior ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31605> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31602] assertion failure in zipimporter.get_source() in case of a bad zlib.decompress()
Change by Oren Milman <ore...@gmail.com>: -- keywords: +patch pull_requests: +3769 stage: -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31602> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31602] assertion failure in zipimporter.get_source() in case of a bad zlib.decompress()
New submission from Oren Milman <ore...@gmail.com>:
The following code causes an assertion failure (in case there exists a
compressed zip file named 'foo.zip' with a file called 'bar.py' in it):
import zlib
import zipimport
def bad_decompress(*args):
return None
zlib.decompress = bad_decompress
zipimport.zipimporter('foo.zip').get_source('bar')
This is because get_data() (in Modules/zipimport.c) assumes that
zlib.decompress() returned a bytes object, and returns it.
zipimport_zipimporter_get_source_impl() assumes that get_data() returned a
bytes object, and passes it to PyBytes_AS_STRING(), which asserts it is a bytes
object.
--
components: Extension Modules
messages: 303100
nosy: Oren Milman
priority: normal
severity: normal
status: open
title: assertion failure in zipimporter.get_source() in case of a bad
zlib.decompress()
type: crash
versions: Python 3.7
___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue31602>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31592] assertion failure in Python/ast.c in case of a bad unicodedata.normalize()
Changes by Oren Milman <ore...@gmail.com>: -- keywords: +patch pull_requests: +3752 stage: -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31592> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31592] assertion failure in Python/ast.c in case of a bad unicodedata.normalize()
New submission from Oren Milman:
The following code causes an assertion failure:
import unicodedata
def bad_normalize(*args):
return None
unicodedata.normalize = bad_normalize
import ast
ast.parse('\u03D5')
This is because init_normalization() (in Python/ast.c) assumes that
unicodedata.normalize() is valid, and stores it in the compiling struct.
Later, new_identifier() calls the stored function, assumes it returned a
string, and passes it to PyUnicode_InternInPlace(), which asserts it is a
string.
--
components: Interpreter Core
messages: 303036
nosy: Oren Milman
priority: normal
severity: normal
status: open
title: assertion failure in Python/ast.c in case of a bad
unicodedata.normalize()
type: crash
versions: Python 3.7
___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue31592>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31588] SystemError in class creation in case of a metaclass with a bad __prepare__() method
Changes by Oren Milman <ore...@gmail.com>: -- keywords: +patch pull_requests: +3749 stage: -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31588> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31586] SystemError in _collections._count_element() in case of a bad mapping argument
Changes by Oren Milman <ore...@gmail.com>: -- keywords: +patch pull_requests: +3748 stage: -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31586> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31588] SystemError in class creation in case of a metaclass with a bad __prepare__() method
New submission from Oren Milman: The following code causes a SystemError: class BadMetaclass(type): def __prepare__(*args): pass class Foo(metaclass=BadMetaclass): pass This is because builtin___build_class__() assumes that __prepare__() returned a mapping, and passes it to PyEval_EvalCodeEx(), which passes it to _PyEval_EvalCodeWithName(), which passes it to _PyFrame_New_NoTrack(), which raises the SystemError. This issue seems related to #17421. -- components: Interpreter Core messages: 303019 nosy: Oren Milman priority: normal severity: normal status: open title: SystemError in class creation in case of a metaclass with a bad __prepare__() method type: behavior versions: Python 3.7 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31588> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31586] SystemError in _collections._count_element() in case of a bad mapping argument
New submission from Oren Milman: The following code causes a SystemError: class BadMapping: get = dict.get __setitem__ = dict.__setitem__ import _collections _collections._count_elements(BadMapping(), [42]) This is because _count_elements() (in Modules/_collectionsmodule.c) assumes that the mapping argument is a dictionary in case it has the same get() and __setitem__() methods as dict. And so, _count_elements() passes the mapping argument to _PyDict_GetItem_KnownHash(), which raises the SystemError. ISTM it is a very unlikely corner case, so that adding a test (as well as a NEWS.d item) for it is unnecessary. What do you think? -- components: Extension Modules messages: 303014 nosy: Oren Milman priority: normal severity: normal status: open type: behavior versions: Python 3.8 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31586> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31577] crash in os.utime() in case of a bad ns argument
Changes by Oren Milman <ore...@gmail.com>: -- keywords: +patch pull_requests: +3739 stage: -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31577> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31577] crash in os.utime() in case of a bad ns argument
Oren Milman added the comment: I opened a PR. I think another fix might be to use PyLong_Type.tp_as_number->long_divmod() instead of PyNumber_Divmod(). -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31577> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31577] crash in os.utime() in case of a bad ns argument
New submission from Oren Milman:
The following code causes the interpreter to crash:
class BadInt:
def __divmod__(*args):
return 42
import os
os.utime('foo.txt', ns=(BadInt(), 1))
This is because split_py_long_to_s_and_ns() (in Modules/posixmodule.c) assumes
that PyNumber_Divmod() returns a 2-tuple, and passes it to PyTuple_GET_ITEM(),
which assumes it is a tuple. Thus, PyTuple_GET_ITEM() might return a non-NULL
value which is not an address of a Python object.
--
components: Extension Modules
messages: 302962
nosy: Oren Milman
priority: normal
severity: normal
status: open
title: crash in os.utime() in case of a bad ns argument
type: crash
versions: Python 3.7
___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue31577>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31573] crashes in os.wait3() and os.wait4() in case of a bad resource.struct_rusage
New submission from Oren Milman: The following code causes the interpreter to crash: import os import time import resource new_pid = os.fork() if new_pid == 0: time.sleep(0.5) else: resource.struct_rusage = None os.wait3(0) We would get a crash also if we replaced 'os.wait3(0)' with 'os.wait4(new_pid, 0)'. This is because wait_helper() (in in Modules/posixmodule.c) assumes that resource.struct_rusage is a type object, and passes it to PyStructSequence_New(), which tries to access the n_fields attribute, and crashes. In addition, the following code causes a SystemError: class BadStructRusage: n_fields = None import os import time import resource new_pid = os.fork() if new_pid == 0: time.sleep(0.5) else: resource.struct_rusage = BadStructRusage os.wait3(0) This is because PyStructSequence_New() (in Objects/structseq.c) assumes that it received a type with a valid n_fields attribute. Similarly, the following code causes the interpreter to crash: class BadStructRusage: n_fields = 16 n_sequence_fields = None import os import time import resource new_pid = os.fork() if new_pid == 0: time.sleep(0.5) else: resource.struct_rusage = BadStructRusage os.wait3(0) ISTM that we can fix these problems by adding checks to wait_helper() and to PyStructSequence_New(). However, maybe a more simple solution would be to either: - Make wait_helper() always use StructRUsageType (defined in Modules/resource.c). - Disable assigning to resource.struct_rusage. Moreover, I don't understand the comment before calling PyStructSequence_New(): /* XXX(nnorwitz): Copied (w/mods) from resource.c, there should be only one. */ Is it relevant to this issue? Lastly, I am not sure about tests (as I found almost no tests of wait3() and wait4()). Should I add to Lib/test/test_wait3.py and Lib/test/test_wait4.py each a class to test this issue? Or is it too much of a corner case, and a test is not needed? -- components: +Extension Modules title: struct_rusage -> crashes in os.wait3() and os.wait4() in case of a bad resource.struct_rusage type: -> crash versions: +Python 3.7 ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31573> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31573] struct_rusage
Changes by Oren Milman <ore...@gmail.com>: -- nosy: Oren Milman priority: normal severity: normal status: open title: struct_rusage ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31573> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31311] a SystemError and a crash in PyCData_setstate() when __dict__ is bad
Oren Milman added the comment: > But this is a separate issue, 3.7 only. I don't think i understand what this issue would include. Anyway, i updated the PR according to your comments. -- ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31311> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31566] assertion failure in _warnings.warn() in case of a bad __name__ global
Changes by Oren Milman <ore...@gmail.com>: -- keywords: +patch pull_requests: +3701 stage: -> patch review ___ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31566> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue31566] assertion failure in _warnings.warn() in case of a bad __name__ global
New submission from Oren Milman:
The following code causes an assertion failure:
__name__ = b'foo'
__file__ = None
import _warnings
_warnings.warn('bar')
This is because setup_context() (in Python/_warnings.c) assumes that __name__
is a string, and so it passes it to _PyUnicode_EqualToASCIIString(), which
asserts it is a string.
--
components: Extension Modules
messages: 302829
nosy: Oren Milman
priority: normal
severity: normal
status: open
title: assertion failure in _warnings.warn() in case of a bad __name__ global
type: crash
versions: Python 3.7
___
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue31566>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
