[issue38588] Use-after-free in dict/list

Pablo Galindo Salgado added the comment: Closing this for now, let's open another issue if we plan to discuss calling Py_INCREF and Py_DECREF in PyObject_RichCompare or do_richcompare in the future. Thanks to everyone involved! -- resolution: -> fixed stage: patch review ->

[issue38588] Use-after-free in dict/list

Pablo Galindo Salgado added the comment: New changeset 53f11ba7b1498133ce3ff8173d5ae2e0182a3603 by Pablo Galindo (Dong-hee Na) in branch '3.7': [3.7] bpo-38588: Fix possible crashes in dict and list when calling P… (GH-17765)

[issue38588] Use-after-free in dict/list

Pablo Galindo Salgado added the comment: New changeset 2ee87913dde038436a25f1db13ee3fddd2bcc983 by Pablo Galindo (Dong-hee Na) in branch '3.8': [3.8] bpo-38588: Fix possible crashes in dict and list when calling P… (GH-17764)

[issue38588] Use-after-free in dict/list

Inada Naoki added the comment: New changeset dfef986f12dd92bd6434117bba0db3cbb4e65243 by Inada Naoki in branch 'master': bpo-38588: Optimize list comparison. (GH-17766) https://github.com/python/cpython/commit/dfef986f12dd92bd6434117bba0db3cbb4e65243 --

[issue38588] Use-after-free in dict/list

Pablo Galindo Salgado added the comment: Sorry, I meant that I reviewed PR 17766. -- ___ Python tracker ___ ___ Python-bugs-list

[issue38588] Use-after-free in dict/list

Pablo Galindo Salgado added the comment: > Moving INCREF and DECREF is a huge change. It is just a future idea to > prevent same type of bugs. I think it can not be backported. Now I am wondering how many other APIs are affected by the same pattern other than PyObject_RichCompareBool

[issue38588] Use-after-free in dict/list

Inada Naoki added the comment: >> This makes list comparison 2x slower. > > This is affected by PR 17734? or PyObject_RichCompare patched? Caused by PR 17734. > Would you like to revert PR 17734? Calling Py_INCREF and Py_DECREF in > PyObject_RichCompare or do_richcompare will take the same

[issue38588] Use-after-free in dict/list

Dong-hee Na added the comment: Master Mean +- std dev: 1.08 us +- 0.02 us Before PR-17734 Mean +- std dev: 584 ns +- 12 ns New suggested . Mean +- std dev: 578 ns +- 14 ns diff --git a/Objects/object.c b/Objects/object.c index 6fc1146..b42f41a 100644 ---

[issue38588] Use-after-free in dict/list

Change by Inada Naoki : -- pull_requests: +17202 pull_request: https://github.com/python/cpython/pull/17766 ___ Python tracker ___

[issue38588] Use-after-free in dict/list

Dong-hee Na added the comment: > This makes list comparison 2x slower. This is affected by PR 17734? or PyObject_RichCompare patched? -- nosy: +corona10 ___ Python tracker

[issue38588] Use-after-free in dict/list

Pablo Galindo Salgado added the comment: > This makes list comparison 2x slower. Would you like to revert PR 17734? Calling Py_INCREF and Py_DECREF in PyObject_RichCompare or do_richcompare will take the same effect, no? -- ___ Python tracker

[issue38588] Use-after-free in dict/list

Inada Naoki added the comment: $ ./python -m pyperf timeit -s 'a = ["a"]*100; b = ["a"]*100;' -- 'a == b' master : Mean +- std dev: 276 ns +- 1 ns patched: Mean +- std dev: 572 ns +- 3 ns This makes list comparison 2x slower. -- ___ Python

[issue38588] Use-after-free in dict/list

Change by Dong-hee Na : -- pull_requests: +17201 pull_request: https://github.com/python/cpython/pull/17765 ___ Python tracker ___

[issue38588] Use-after-free in dict/list

Pablo Galindo Salgado added the comment: > How about calling Py_INCREF and Py_DECREF in PyObject_RichCompare or > do_richcompare? Apologies, I had missed this suggestion before merging the PR :( If we decide to add the check to PyObject_RichCompare or do_richcompare we should also adapt

[issue38588] Use-after-free in dict/list

Change by Dong-hee Na : -- pull_requests: +17200 pull_request: https://github.com/python/cpython/pull/17764 ___ Python tracker ___

[issue38588] Use-after-free in dict/list

Pablo Galindo Salgado added the comment: New changeset 2d5bf568eaa5059402ccce9ba5a366986ba27c8a by Pablo Galindo (Dong-hee Na) in branch 'master': bpo-38588: Fix possible crashes in dict and list when calling PyObject_RichCompareBool (GH-17734)

[issue38588] Use-after-free in dict/list

Inada Naoki added the comment: If we can not add INCREF and DECREF in the PyObject_RichCompare, we can add v == w check in the caller side. -- ___ Python tracker ___

[issue38588] Use-after-free in dict/list

Inada Naoki added the comment: Would you benchmark the performance? How about calling Py_INCREF and Py_DECREF in PyObject_RichCompare or do_richcompare? It is safer than checking all caller of the PyObject_RichCompare and PyObject_RichCompareBool. And it would be faster when

[issue38588] Use-after-free in dict/list

Change by Dong-hee Na : -- keywords: +patch pull_requests: +17179 stage: -> patch review pull_request: https://github.com/python/cpython/pull/17734 ___ Python tracker ___

[issue38588] Use-after-free in dict/list

LCatro added the comment: Sure ,but how can i pull my fix code ? -- ___ Python tracker ___ ___ Python-bugs-list mailing list

[issue38588] Use-after-free in dict/list

Serhiy Storchaka added the comment: Thank you for your investigation LCatro! Do you mind to create a pull request? -- components: +Interpreter Core type: security -> crash versions: +Python 2.7, Python 3.7, Python 3.9 ___ Python tracker

[issue38588] Use-after-free in dict/list

New submission from LCatro : Code : The varanit bval forget call Py_INCREF to add reference in dict_equal() b->ma_keys->dk_lookup(b, key, ep->me_hash, ); <--- ... if (bval == NULL) { Py_DECREF(key); Py_DECREF(aval); if (PyErr_Occurred()) return -1;