Brazilian hobbyist Pythonista. Pythonista amador.
#python
He/him/ele
@carapace That's due to string hash randomization, it should make it harder to do a DoS on the interpreter. That DoS works by making different strings (from user input) have hash collisions and adding them to dictionaries. Without randomization, the attacker can precalculate the strings due to knowing what they will hash to.
I couldn't find a good explainer, best I found was https://docs.python.org/3/using/cmdline.html#cmdoption-R
@carapace But hash has to look at the data, so two equal strings hash the same. Were they using id instead?
"How slow is the tracing interpreter of PyPy's meta-tracing JIT?" https://cfbolz.de/posts/speed-of-tracing/
Spoiler: for the microbenchmark I tried, the slowdown of the meta-tracing interpreter is about 900x (mainly due to the double interpretation overhead: the meta-tracing interpreter will execute the Python interpreter, while the latter executes one iteration of the Python loop).
Cog 3.5!
--check now has --diff to see what changed
shorter checksum format to be less distracting
current directory restoration to simplify your code
and, shocker! --help works!
@p_balduino pescada com uma rede
três quartos
@duran @lorimeyers Ouvi um criador dizer que pastor alemão é super regulamentado. Nunca vi comprovação, mas creio.
@lorimeyers @duran Concordo com sua ideia de controle mais geral (e acho que podia abarcar os SRDs, sem as taxas e tantas restrições mas, por ex., mapeando os abandonadores).
Mas a proposta do Tomazini tem uma coisa muito pragmática, que é dar o primeiro passo com o auxílio dos números, da opinião popular etc. É mais fácil e mais rápido tomar medidas focadas nos pitbulls, porque tem o medo e o ganho de segurança mais à tona.
Sua ideia é uma ótima política pública. A dele, um passo priorizável.
Yup, you can check if it exists with:
>>> import pathlib
>>> pathlib.Path("blabla.csv").exists()
False
Even better, you can see if you can read the contents:
>>> pathlib.Path("blabla.csv").read_text()
So, what's next for fuzzing CPython with fusil?
The results point to interesting future ideas, including expanding fuzzing to new environments like subinterpreters, using more tools like Thread Sanitizer, and developing more advanced fuzzing techniques.
A huge thank you to everyone who contributed!
And thank you for reading!
P.S.: if you have a C/Rust extension, we can fuzz it too: https://mastodon.social/@danzin/114383188014599269
(5/5)
One finding I really like is the bug discovery pattern.
There wasn't a steady stream of bugs, but spikes of findings: 1st, a huge number of crashes as I started testing a CPython that hadn't been fuzzed by fusil in a decade.
Later, a new wave of issues tied to the addition of new features to the fuzzer, like support for "weird classes" and typing objects.
So periodic campaigns may have better cost-benefit than continuous fuzzing.
(4/5)
The credit for fusil's effective design goes all to Victor Stinner (@vstinner), who created it nearly two decades ago. It was responsible for finding release blockers way back in 2008. I just contributed a little to revive and enhance it.
Some enhancements included running generated code in threads and adopting new "interesting" objects and values as inputs, helping to discover more crashes.
(3/5)
All this was only possible due to the great response from the Python community.
Thanks to the developers efforts to triage, diagnose, and fix the problems, the campaign became a collaborative effort to improve Python.
The impact was considerable, mobilizing Core Devs and contributors to create 98 PRs to fix these bugs. The average time to fix an issue was about 20 days, with a median of just five days.
(2/5)
Happy to share the results of a fuzzing campaign targeting CPython that ran from Oct 2024 to May 2025. Using the fusil fuzzer, the goal was to find crashes and improve CPython's robustness.
I really like the results we got: the effort uncovered 52 unique crash-related issues. These reports approached 30% of all "type-crash" issues filed during that period. One of the crashes was classified as a Release Blocker, that was a nice result! :)
(1/5)
@neutrinoceros Well, very little effort wasn't the case, but trawl through the tests we did. And also made "deep diving" work.
The resulting code lives at https://github.com/devdanzin/fusil/tree/main/fusil/python/h5py
Now the important part: did it help find more interesting bugs?
Nope. Well, I think not, but didn't have time to properly reduce and deduplicate all the crashes it hit yet.
It was a great experience trying to figure out ways to crash h5py. I'm sorry the results seem to be underwhelming, but that's how it goes :)
Assim falava a canção
Que na Mary Couveee
So, my technical report on fuzzing CPython with fusil is almost done.
I'd really appreciate some help categorizing the found issues by relevance/severity/importance or any other name for impact.
Do you have the chops to help with that? And do you have time and interest? Please get in touch if so! And please boost if you can :)
A plot, some tables, links to the report and some discussion are available in this thread:
https://discuss.python.org/t/feedback-on-the-recent-fusil-fuzzing-campaign-of-cpython/91737
New Scientist successfully filed a FOI request for UK technology secretary Peter Kyle's ChatGPT logs - setting an interesting precedent!
I used it as an opportunity to write up some prompting tips for why the question "Why is AI adoption so slow in the UK small and medium business community?" is a poor fit for an LLM, in particular one with a September 2023 training cutoff date
https://simonwillison.net/2025/Jun/3/tips-for-peter-kyle/
@hakki @gwidion __hex__ (and __oct__) was removed as a special method during the transition from Python 2 to Python 3: https://github.com/python/cpython/commit/cd16bf640405065e4702539632ce577536207d88
................
r55905 | georg.brandl | 2007-06-11 10:02:26 -0700 (Mon, 11 Jun 2007) | 5 lines
Remove __oct__ and __hex__ and use __index__ for converting
non-ints before formatting in a base.
Add a bin() builtin.
................
Changes in Objects/typeobject.c: https://github.com/python/cpython/commit/cd16bf640405065e4702539632ce577536207d88#diff-1decebeef15f4e0b0ce106c665751ec55068d4d1d1825847925ad4f528b5b872
