➜
This issue trackerhas been migrated toGitHub, and is currentlyread-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.
Created on2015-06-08 11:57 bypkt, last changed2022-04-11 14:58 byadmin. This issue is nowclosed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| dict_merge.py | pkt,2015-06-08 11:57 | |||
| 24407.patch | Mark.Shannon,2015-07-04 14:37 | review | ||
| dict_merge.patch | benjamin.peterson,2015-07-04 15:28 | review | ||
| Messages (11) | |||
|---|---|---|---|
| msg245001 -(view) | Author: paul (pkt) | Date: 2015-06-08 11:57 | |
# PyDict_Merge:# # 1 for (i = 0, n = DK_SIZE(other->ma_keys); i < n; i++) {# ...# 3 entry = &other->ma_keys->dk_entries[i];# ...# 2 if (insertdict(mp, entry->me_key,# entry->me_hash,# value) != 0)# return -1;# ...# }# # 1. n is set once # 2. it's possible to run a custom __eq__ method from inside the insertdict. # __eq__ clears the "other" dict. "n" variables is now out of date# 3. out of bounds read# # CRASH:# ------## * thread #1: tid = 27715, 0x080d1c1d python`insertdict(mp=0xb71d66f4, key=0x61682044, hash=543582496, value=0xb71d6664) + 132 at dictobject.c:819, name = 'python', stop reason = invalid address (fault address: 0x61682050)# frame #0: 0x080d1c1d python`insertdict(mp=0xb71d66f4, key=0x61682044, hash=543582496, value=0xb71d6664) + 132 at dictobject.c:819# 816 if (ep == NULL) {# 817 return -1;# 818 }# -> 819 assert(PyUnicode_CheckExact(key) || mp->ma_keys->dk_lookup == lookdict);# 820 Py_INCREF(value);# 821 MAINTAIN_TRACKING(mp, key, value);# 822 old_value = *value_addr;# | |||
| msg246065 -(view) | Author: paul (pkt) | Date: 2015-07-02 10:26 | |
ping | |||
| msg246144 -(view) | Author: paul (pkt) | Date: 2015-07-03 07:45 | |
ping | |||
| msg246250 -(view) | Author: paul (pkt) | Date: 2015-07-04 11:18 | |
ping | |||
| msg246251 -(view) | Author: Berker Peksag (berker.peksag)* | Date: 2015-07-04 11:36 | |
Thanks for the report, paul. Please do not ping an issue after a day.Quoting fromhttps://docs.python.org/devguide/patch.html?#reviewing"If your patch has not received any notice from reviewers (i.e., no comment made) after one month, first “ping” the issue on the issue tracker to remind the nosy list that the patch needs a review. If you don’t get a response within a few days after pinging the issue, then you can try emailingpython-dev@python.org asking for someone to review your patch." | |||
| msg246258 -(view) | Author: Mark Shannon (Mark.Shannon)* | Date: 2015-07-04 14:03 | |
The tracker won't let me assign this to myself.Consider it assigned. | |||
| msg246260 -(view) | Author: Mark Shannon (Mark.Shannon)* | Date: 2015-07-04 14:37 | |
There are two parts to this fix.First, we raise a runtime exception if the other dict is modified during the update/merge.Second, refcounts must be incremented around the PyDict_GetItem and insertdict calls in case the key or value is otherwise deallocated. Patch attached. | |||
| msg246262 -(view) | Author: Benjamin Peterson (benjamin.peterson)* | Date: 2015-07-04 15:28 | |
Hmm, I just wrote a very similar patch. Tell me what you think. :) | |||
| msg246263 -(view) | Author: Mark Shannon (Mark.Shannon)* | Date: 2015-07-04 15:48 | |
If the tracker had let me assign the issue, you need not have wasted your time. Oh well.Indeed, your patch looks very similar to mine. | |||
| msg246269 -(view) | Author: R. David Murray (r.david.murray)* | Date: 2015-07-04 18:01 | |
Oh, he still might have written the patch, after all there isn't a lot of operational difference between the email that says "assigned to XXX" and the email that contains your text "consider this assigned".However, Benjamin has given you developer privs on the tracker, so in the future you can use assignment if you wish to :) | |||
| msg246293 -(view) | Author: Roundup Robot (python-dev) | Date: 2015-07-05 03:54 | |
New changeset37fed8b02f00 by Benjamin Peterson in branch '3.3':protect against mutation of the dict during insertion (closes#24407)https://hg.python.org/cpython/rev/37fed8b02f00New changeset75da5acbfbe4 by Benjamin Peterson in branch '3.4':merge 3.3 (#24407)https://hg.python.org/cpython/rev/75da5acbfbe4New changeset6a7ee97cb0b1 by Benjamin Peterson in branch '3.5':merge 3.4 (#24407)https://hg.python.org/cpython/rev/6a7ee97cb0b1New changeset88814ddd5e9e by Benjamin Peterson in branch 'default':merge 3.5 (#24407)https://hg.python.org/cpython/rev/88814ddd5e9e | |||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:17 | admin | set | github: 68595 |
| 2015-07-18 20:52:29 | Arfrever | set | nosy: +Arfrever |
| 2015-07-05 03:54:16 | python-dev | set | status: open -> closed nosy: +python-dev messages: +msg246293 resolution: fixed stage: needs patch -> resolved |
| 2015-07-04 18:01:33 | r.david.murray | set | nosy: +r.david.murray messages: +msg246269 |
| 2015-07-04 15:48:23 | Mark.Shannon | set | messages: +msg246263 |
| 2015-07-04 15:28:09 | benjamin.peterson | set | files: +dict_merge.patch nosy: +benjamin.peterson messages: +msg246262 |
| 2015-07-04 14:37:21 | Mark.Shannon | set | files: +24407.patch keywords: +patch messages: +msg246260 |
| 2015-07-04 14:03:20 | Mark.Shannon | set | nosy: +Mark.Shannon messages: +msg246258 |
| 2015-07-04 11:36:28 | berker.peksag | set | nosy: +berker.peksag messages: +msg246251 |
| 2015-07-04 11:18:47 | pkt | set | messages: +msg246250 |
| 2015-07-03 07:45:18 | pkt | set | messages: +msg246144 |
| 2015-07-02 10:26:08 | pkt | set | messages: +msg246065 |
| 2015-06-08 14:20:47 | serhiy.storchaka | set | nosy: +rhettinger,serhiy.storchaka components: + Interpreter Core stage: needs patch |
| 2015-06-08 11:57:05 | pkt | create | |