Eugene Kapun <abacabadabac...@gmail.com> added the comment:
This patch still assumes that if so->table didn't change then the table wasn't
reallocated (see http://en.wikipedia.org/wiki/ABA_problem). One solution is to
check that so->mask didn't change as well. Also, checking that refcnt > 1 is
redundant because if entry->key == startkey then there are at least two
references: one from entry->key and another from startkey.
These functions have a bug that may cause them to refer to deallocated memory
when both arguments are sets: set_intersection, set_isdisjoint,
set_difference_update_internal, set_difference,
set_symmetric_difference_update, set_issubset.
These functions may also do the same if the first argument is a set and the
second argument is a dict: set_difference, set_symmetric_difference_update.
Bugs in set_repr:
> keys = PySequence_List((PyObject *)so);
> if (keys == NULL)
> goto done;
>
> listrepr = PyObject_Repr(keys);
> Py_DECREF(keys);
List pointed to by keys is already deallocated at this point.
> if (listrepr == NULL) {
> Py_DECREF(keys);
But this code tries to DECREF it.
> goto done;
> }
> newsize = PyUnicode_GET_SIZE(listrepr);
> result = PyUnicode_FromUnicode(NULL, newsize);
> if (result) {
> u = PyUnicode_AS_UNICODE(result);
> *u++ = '{';
> /* Omit the brackets from the listrepr */
> Py_UNICODE_COPY(u, PyUnicode_AS_UNICODE(listrepr)+1,
> PyUnicode_GET_SIZE(listrepr)-2);
> u += newsize-2;
> *u++ = '}';
> }
> Py_DECREF(listrepr);
> if (Py_TYPE(so) != &PySet_Type) {
result may be NULL here.
> PyObject *tmp = PyUnicode_FromFormat("%s(%U)",
> Py_TYPE(so)->tp_name,
> result);
I think PyUnicode_FromFormat won't like it.
> Py_DECREF(result);
> result = tmp;
> }
----------
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue8420>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
