Alexander Riccio added the comment:
Yes, I definitely should. I work on https://bugs.python.org/issue25878
sometimes, which encompasses this.
--
___
Python tracker
<https://bugs.python.org/issue42
Alexander Riccio added the comment:
Petition to remove all uses of the unchecked string handling functions from
CPython?
Sidenote: if C4996 was on, this would be a warning.
--
nosy: +Alexander Riccio
___
Python tracker
<https://bugs.python.
Alexander Riccio added the comment:
Oh, uh, also, do you prefer I add a commit or a new branch & PR?
--
___
Python tracker
<https://bugs.python.org/iss
Alexander Riccio added the comment:
Ahh, ok. Even though I question the usefulness of manually maintaining MSBuild
files instead of something like CMake, I can work with that. Is there a
preferred way to do it? It looks like I can do a
Condition="'$(Configuration)|$(Platform)'
New submission from Alexander Riccio :
This isn't a priority issue I'd say. However, fixing it could yield nice
benefits. I ran into this while experimenting with JUMBO/Unity builds as part
of a bit of fun I've been having tweaking build options across the CPython
ecosystem.
Change by Alexander Riccio :
--
keywords: +patch
pull_requests: +18658
stage: -> patch review
pull_request: https://github.com/python/cpython/pull/19298
___
Python tracker
<https://bugs.python.org/issu
Change by Alexander Riccio :
--
pull_requests: +18659
pull_request: https://github.com/python/cpython/pull/19298
___
Python tracker
<https://bugs.python.org/issue40
New submission from Alexander Riccio :
Similarly to bpo-40145, I've tweaked build options to reduce the size of the
binary.
This patch turns on (for release builds) Whole Program Optimization, MinSpace
optimization, /Ob2 AnySuitable function inlining, /Zo (so that people can still
deb
New submission from Alexander Riccio :
This popped out at me while looking for something else. It's probably not much
of an actual problem, since the wrong datatype is larger than the correct one,
but it's worth fixing.
The problem is in overlapped_RegisterWaitWithQueue, at overla
Alexander Riccio added the comment:
If this patch is merged, and all 7 million (estimated) Python developers update
their installation, I calculate that I just saved the PSF 119GB worth of
bandwidth costs :)
I'll take my 10 cents in the mail plea
Change by Alexander Riccio :
--
keywords: +patch
pull_requests: +18642
stage: -> patch review
pull_request: https://github.com/python/cpython/pull/19284
___
Python tracker
<https://bugs.python.org/issu
New submission from Alexander Riccio :
I've tweaked the pcbuild options for pyshellext to reduce the size of the
binary.
Since this is a very simple component, there really isn't much benefit of
optimizing for speed, likely the slowest part of this component's lifetime is
si
New submission from Alexander Riccio :
The "obvious" way to delete a directory tree on Windows is wrong. It's
inherently racy, since deleting a file on Windows *doesn't actually delete it*,
instead it marks the file for deletion. The system will eventually get around
Alexander Riccio added the comment:
Ok, so a draft of this produces 34 warnings, but makes way more changes to the
.vcxproj and .filters files than I think it should:
https://github.com/ariccio/cpython/commit/60152aa065a3ad861f0359a8ada7f2fbc83a3933
Before I submit a PR, I think I should
Alexander Riccio added the comment:
Sure, should I open a new issue?
--
nosy: -vstinner
resolution: -> fixed
stage: patch review -> resolved
status: open -> closed
___
Python tracker
<https://bugs.python.or
Alexander Riccio added the comment:
Hmmm, happens every time I interrupt while attached. Is there some obvious
gotcha in the docs that I'm missing?
--
___
Python tracker
<https://bugs.python.org/is
Alexander Riccio added the comment:
Lmao the name mangling comes up as a mailto. That's interesting.
--
___
Python tracker
<https://bugs.python.org/is
New submission from Alexander Riccio :
While trying to make sense of some static analysis warnings for the Windows
console IO module, I Ctrl+C'd in the middle of an intentionally absurd __repr__
output, and on proceeding in the debugger (which treated it as an exception), I
immediatel
New submission from Alexander Riccio :
At line 138 in debughelpers.c, ssl_obj, which was set to NULL on line 122, is
dereferenced.
I think the original intent was to actually bubble the error up through the ssl
object.
Full function:
static void
_PySSL_keylog_callback(const SSL *ssl
Change by Alexander Riccio :
--
keywords: +patch
pull_requests: +18442
stage: -> patch review
pull_request: https://github.com/python/cpython/pull/19083
___
Python tracker
<https://bugs.python.org/issu
Alexander Riccio added the comment:
Sidenote: visual studio was misleading and made this look like a use-after-free
for a little while, which was interesting.
--
nosy: +pablogsal
___
Python tracker
<https://bugs.python.org/issue40
New submission from Alexander Riccio :
growable_comment_array_add in parsetok.c incorrectly uses realloc, which leaks
the array when allocation fails, and then causes a null pointer deref crash
later when the array is freed in growable_comment_array_deallocate (the array
pointer is
Alexander Riccio added the comment:
Ok, so I finally have some proper time to work on this. How would people (who
are higher up in python than me, obviously) feel about suppressing most of the
warnings via a user macro in Visual Studio? I've found that it's quite easy to
add a ma
Alexander Riccio added the comment:
It's part of the Windows SDK, and is installed with it. To enable for this
error, add the Python executable in Application Verifier, and check the Handles
box.
--
___
Python tracker
<https://bugs.py
Alexander Riccio added the comment:
Hmm, proceeding a bit further pointed to finish_recv in windows_events.py
--
Added file: https://bugs.python.org/file48299/python_invalid_handle.PNG
___
Python tracker
<https://bugs.python.org/issue36
New submission from Alexander Riccio :
I compiled PCBuild Debug x64 from an updated clone of upstream, and when
running the testsuite under Application Verifier with handle verification, the
test triggers an invalid handle access by passing an invalid overlapped handle
to CancelIoEx with
Alexander Riccio added the comment:
One more thing, after I ran code analysis:
This is obviously a potential memory leak:
Warning C6308 'realloc' might return null pointer: assigning null pointer to
'arr->items', which is passed as an argument to 'realloc'
Alexander Riccio added the comment:
I decided to come back to this after a python meetup last night. By messing
with this a bit, building in VS2019 with /W4, I see that fully 2/3rds of the
total warnings are from two specific warnings:
C4100 (unreferenced formal parameter)
C4127
Alexander Riccio added the comment:
We might want to use some kind of Group Policy setting, for the same reason
that many Windows security configuration options are there, and that DoD STIGs
for Windows https://www.stigviewer.com/stig/windows_8_8.1/ are almost totally
about configuring Group
Alexander Riccio added the comment:
It's not just Stuxnet, as at least one other Advanced Persistent Threat uses
that tactic. An APT (likely Russian intelligence) recently used encoded
PowerShell to break into the Democratic National Committe:
https://www.crowdstrike.com/blog/bears-
Alexander Riccio added the comment:
> Please stop educating us.
Sorry, not what was intended! Tone transmits poorly.
--
___
Python tracker
<http://bugs.python.org/issu
Alexander Riccio added the comment:
#pragma warning(disable : 4232) is almost always NOT what you want.
See: http://www.viva64.com/en/k/0048/
--
nosy: +Alexander Riccio
___
Python tracker
<http://bugs.python.org/issue26
Alexander Riccio added the comment:
When I say "I'm really not sure what it'd look like, or how it'd work" I mean
at the C level. At a higher level, there are many places that I imagine are
good places to use AMSI: Perhaps expressions passed in from the command lin
Alexander Riccio added the comment:
See also: "Security Focus: Defending PowerShell with the Anti-Malware Scan
Interface (AMSI)"
http://blogs.technet.com/b/poshchap/archive/2015/10/16/security-focus-defending-powershell-with-windows-def
Alexander Riccio added the comment:
See "Windows 10 to offer application developers new malware defenses"
https://blogs.technet.microsoft.com/mmpc/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/
for an example of how AMSI works with PowerShell.
I
New submission from Alexander Riccio:
I'm really not sure what it'd look like, or how it'd work, but CPython should
take advantage of Microsoft's Antimalware Scan Interface, which is new to
Windows 10. It's designed for applications like interpreters, which can execute
Alexander Riccio added the comment:
If there are few enough instances, then using a #pragma warning(suppress:4232)
is probably the best idea.
--
___
Python tracker
<http://bugs.python.org/issue25
Alexander Riccio added the comment:
> This should be about a 2 line change, but the current patch is several
> hundred lines of spam.
I agree, but wasn't immediately sure how to do so.
Unfortunately, I've been working on other things, and I'm not sure when I'
Alexander Riccio added the comment:
Cut out more noisy warnings.
--
Added file: http://bugs.python.org/file41333/W4_v3.patch
___
Python tracker
<http://bugs.python.org/issue25
New submission from Alexander Riccio:
See: https://hg.python.org/cpython/file/tip/PC/getpathp.c#l324
The second variable named `reqdSize` in getpythonregpath is initialized but not
used.
--
components: Windows
messages: 256555
nosy: Alexander Riccio, paul.moore, steve.dower
New submission from Alexander Riccio:
See: https://hg.python.org/cpython/file/tip/Objects/unicodeobject.c#l7335
The variable PyObject *exc in encode_code_page_strict is initialized but not
used.
--
components: Windows
messages: 256554
nosy: Alexander Riccio, paul.moore, steve.dower
New submission from Alexander Riccio:
See: https://hg.python.org/cpython/file/tip/Modules/posixmodule.c#l12383
The variable int meth_idx is initialized but not used. I have no idea how it
got there.
--
components: Windows
messages: 256553
nosy: Alexander Riccio, paul.moore
Alexander Riccio added the comment:
(in the same function, char *bufptr is ALSO unused)
--
___
Python tracker
<http://bugs.python.org/issue25890>
___
___
Pytho
New submission from Alexander Riccio:
See: https://hg.python.org/cpython/file/tip/Modules/posixmodule.c#l3466
The variable PyObject *po in _listdir_windows_no_opendir is initialized but not
used. Given that there's a variable named po_wchars, and two PyObject
variables, I'm goin
Alexander Riccio added the comment:
> The problem with this bug report is that there is little chance that it gets
> resolved in the near term, and it's quite possible that it will stay open for
> years. Somebody would have to sit down and start producing patches to fix
&g
New submission from Alexander Riccio:
This is safe, but warns on /W4. In maybe_handle_shebang, an unsigned char* is
passed to find_BOM, which accepts a char*
(https://hg.python.org/cpython/file/tip/PC/launcher.c#l1139).
Without an explicit cast, this generates a warning:
10>..\PC\launche
Changes by Alexander Riccio :
--
components: +Windows
___
Python tracker
<http://bugs.python.org/issue25878>
___
___
Python-bugs-list mailing list
Unsubscribe:
Changes by Alexander Riccio :
--
nosy: +paul.moore, steve.dower, tim.golden, zach.ware
___
Python tracker
<http://bugs.python.org/issue25878>
___
___
Python-bug
Alexander Riccio added the comment:
See Issue25878.
--
___
Python tracker
<http://bugs.python.org/issue25847>
___
___
Python-bugs-list mailing list
Unsubscribe:
Alexander Riccio added the comment:
I've added the text build output.
--
Added file: http://bugs.python.org/file41322/W4_v2_build_output
___
Python tracker
<http://bugs.python.org/is
Alexander Riccio added the comment:
The warnings that I've disabled are:
C4054, "'conversion' : from function pointer 'type1' to data pointer 'type2'":
https://msdn.microsoft.com/en-us/library/07d15ax5(v=vs.90).aspx
I disabled 4054be
New submission from Alexander Riccio:
This issue is related to Issue25847.
Compiling at /W4 is generally a good idea. It's an industry best practice, and
even though I don't expect disagreement, I'll throw in a few coding standard
links:
https://www.securecoding.cert.org/confl
Alexander Riccio added the comment:
I'll open up a new issue for /W4, and deal with that first.
--
___
Python tracker
<http://bugs.python.org/issue25847>
___
___
Alexander Riccio added the comment:
> In which direction do you find us to be mad?
That's really quite a low warning level! For a large project, I can't imagine
anything less than /W4!
--
___
Python tracker
<http://bugs.pytho
Alexander Riccio added the comment:
Hold on... CPython builds at /W3???!? What is this madness??!?
--
Added file: http://bugs.python.org/file41312/CPythonW3.PNG
___
Python tracker
<http://bugs.python.org/issue25
Alexander Riccio added the comment:
Actually, hmm... the very naive version *DOES NOT* work. Grr.
--
___
Python tracker
<http://bugs.python.org/issue25
Alexander Riccio added the comment:
> That is, (as I undersatnd it) we've done a lot of work to not have compiler
> warnings generated during compilation, and we don't want to backtrack on that.
Well, as-is, simply building as x64 generates a bunch of warnings, so it's
Alexander Riccio added the comment:
Yup, the very naive version works.
--
keywords: +patch
Added file: http://bugs.python.org/file41311/EnableCodeAnalysis.patch
___
Python tracker
<http://bugs.python.org/issue25
Alexander Riccio added the comment:
> OK, let's move this to patch needed, then, and see if anyone is ambitious
> enough to do the work needed to make it useful to us :)
I can try and hack it in, just as proof of concept. I think I should just be
able to add something like:
/p:En
Alexander Riccio added the comment:
> Are you aware of the Coverity program? Last time I heard about Coverity,
> CPython had 0 bug found by Coverity ;-)
Yup, see Issue25847.
> The sad part is that Py_ARRAY_LENGTH() is written for static analysis
Sadly, yeah. MSVC, when compi
Alexander Riccio added the comment:
> Is analyze something that can be used from the command line only, or does it
> require the GUI?
You can do it from the command line - Chrome/chromium makes use of it as such.
See: https://code.google.com/p/chromium/issues/detail?id=427616
The /a
New submission from Alexander Riccio:
Visual Studio comes with static analysis, enabled by /analyze (command line) or
"Code analysis" in the project configuration dialog. Currently, none of the
CPython projects in PCbuild have Code Analysis turned on, in any configuration.
I wa
New submission from Alexander Riccio:
I found this while writing up a separate bug (CPython doesn't use static
analysis!).
In modules/posixmodule.c, win32_wchdir uses Py_ARRAY_LENGTH on a wchar_t*:
wchar_t _new_path[MAX_PATH], *new_path = _new_path;
int result;
wchar_t env[4
New submission from Alexander Riccio:
I found this while writing up a separate bug (CPython doesn't use static
analysis!).
In _ctypes/cfield.c, Z_set has a bug of some sort:
if (PyLong_Check(value) || PyLong_Check(value)) {
See: https://hg.python.org/cpython/file/tip/Modules/_c
New submission from Alexander Riccio:
I found this while writing up a separate bug (CPython doesn't use static
analysis!).
In PC/launcher.c, get_env has a bug:
/* Large environment variable. Accept some leakage */
wchar_t *buf2 = (wchar_t*)malloc(sizeof(wchar_t) * (res
Changes by Alexander Riccio :
--
type: -> crash
___
Python tracker
<http://bugs.python.org/issue25844>
___
___
Python-bugs-list mailing list
Unsubscrib
Alexander Riccio added the comment:
Sorry for the delay: Gmail actually directed the update emails to my spam
folder! Gmail said (something like): "It is in violation of Google's
recommended email sender guidelines."
...and it's apparently not the first time this has happ
New submission from Alexander Riccio:
A really minor issue (probably qualifies for the "easy" keyword):
sound_msgbeep (in http://svn.python.org/projects/python/trunk/PC/winsound.c)
doesn't check the return value of MessageBeep
(https://msdn.microsoft.com/en-us/library/windows/d
Changes by Alexander Riccio :
--
components: Windows
nosy: Alexander Riccio, paul.moore, steve.dower, tim.golden, zach.ware
priority: normal
severity: normal
status: open
title: sound_msgbeep doesn't check the return value of MessageBeep
type: behavior
versions: Pytho
Alexander Riccio added the comment:
For your convenience, the MSDN docs for the _putch/_putwch functions:
https://msdn.microsoft.com/en-us/library/azb6c04e.aspx
--
___
Python tracker
<http://bugs.python.org/issue25
New submission from Alexander Riccio:
A minor issue (probably qualifies for the "easy" keyword):
All functions in msvcrtmodule.c (I'm looking at
http://svn.python.org/projects/python/trunk/PC/msvcrtmodule.c) except
msvcrt_putch and msvcrt_putwch properly check return value
71 matches
Mail list logo