[issue46615] Segfault in set intersection (&) and difference (-)

[Dennis Sweeney]

Dennis Sweeney  added the comment:

replacing `return True` with `return random() < 0.5` makes *all* of the 
operations crash, except for `|` and `|=`.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue46615] Segfault in set intersection (&) and difference (-)

[Dennis Sweeney]

New submission from Dennis Sweeney :

Maybe related to https://bugs.python.org/issue8420

Somewhat obscure, but using only standard Python, and no frame- or gc-hacks, it 
looks like we can get a use-after-free:

from random import random

BADNESS = 0.0

class Bad:
def __eq__(self, other):
if random() < BADNESS:
set1.clear()
if random() < BADNESS:
set2.clear()
return True
def __hash__(self):
return 42

SIZE = 100
TRIALS = 10_000

ops = [
"|", "|=",
"==", "!=",
"<", "<=",
">", ">=",
# "&",  # crash!
# "&=", # crash!
"^",
# "^=", # crash
# "-", # crash
"-=",
]

for op in ops:
stmt = f"set1 {op} set2"
print(stmt, "...")
for _ in range(TRIALS):
BADNESS = 0.00
set1 = {Bad() for _ in range(SIZE)}
set2 = {Bad() for _ in range(SIZE)}
BADNESS = 0.02
exec(stmt)
print("ok.")

--
components: Interpreter Core
messages: 412386
nosy: Dennis Sweeney, rhettinger
priority: normal
severity: normal
status: open
title: Segfault in set intersection (&) and difference (-)
type: crash
versions: Python 3.10, Python 3.11, Python 3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com