I'm both very much surprised and disappointed that this feature is disabled by default and needs to be explicitly turned on.
Honestly, if the spec doesn't guarantee that iteration will be in order, no one has a right to complain if it actually isn't with this release.
In the C++ world I come from, the Spec is treated as being holy. You don't write code that invokes undefined behavior or relies on unspecified behavior. If you do, you're on your own and no one will touch your code with a ten foot pole if they can help it. (Unless, of course, there really is no other way due to your compiler, etc. etc. in which case you litter the comments with warnings)
In this particular case, it's a simple matter of choosing the right data structure to suit your needs, or sorting contents before accessing them if you truly require in-order iteration.
>In the C++ world I come from, the Spec is treated as being holy.
That's ridiculous.
>You don't write code that invokes undefined behavior or relies on unspecified behavior.
This happens all the time, and not only is code written that relies on unspecified behavior, vendors maintain backward compatibility for programs that do this.
As one who complained directly this being off-by-default to some python-dev folks, one small reason it's off-by-default in the bugfix releases is because it's likely to break people's tests if they use doctest. Pretty much everyone I've talked to sees this as an argument against doctest on at least some level.
IIRC there were also larger concerns about poorly implemented systems that depended on hash() being stable for persistence reasons. I don't know the details of that, as I appreciate the nod to backwards compatibility and not breaking people on a bugfix release.
JSON objects are explicitly unordered, but you would be amazed by how many gripes I've seen about JSON libraries or systems that don't preserve the order.
Wow this is great. As I remember basically all language implementations like Ruby, PHP, Perl, V8, etc. were vulnerable to this problem. Is Python the first to provide a fix?
I believe perl fixed this issue years ago (and this recent wave of discovery was based on a paper which was sent to perl maintainers long ago). Ruby fixed this issue in 1.9 before it was a big deal. I am not aware if Ruby 1.8 has backported a fix yet.
Ruby seems to have fixed it in December, PHP in January and Node was trying to get a fix in for v8 but it's been rejected AFAIR and then they patched their version. Perl hasn't actually been vulnerable for a couple of years.
I am surprised they get into quadratic algorithmic complexities. If they use the most efficient data structures (e.g., balanced binary trees) their algorithms for storage and retrieval should be no higher than O(log(n)). Thus if everything collides at the same entry in a hash table, you should still be able to do stores and reads for O(log(n)) time. And if that is the case, it would be very difficult to execute an attack that would cause significant disturbances even if the bad guys could beat the hash function.
I think you're assuming that python hash tables use linked list buckets. They don't. They use open addressing, and resize the table as necessary. There's no "data structure" that could be switched to a binary tree.
I believe that using binary trees for hash chaining gives you better worst-case complexity but often worse performance in the common case. When your hashes are reasonably well spread out and the buckets are chained at most a couple of items deep, the overhead of maintaining a binary tree versus a linked list or using open addressing can be a considerable hit.
I'm disappointed that they didn't fix pydoc to handle Partial objects correctly (i.e. show them as methods and display their __doc__ text rather than show them as variable of class Partial).
[+] [-] ComputerGuru|14 years ago|reply
Honestly, if the spec doesn't guarantee that iteration will be in order, no one has a right to complain if it actually isn't with this release.
In the C++ world I come from, the Spec is treated as being holy. You don't write code that invokes undefined behavior or relies on unspecified behavior. If you do, you're on your own and no one will touch your code with a ten foot pole if they can help it. (Unless, of course, there really is no other way due to your compiler, etc. etc. in which case you litter the comments with warnings)
In this particular case, it's a simple matter of choosing the right data structure to suit your needs, or sorting contents before accessing them if you truly require in-order iteration.
[+] [-] ywrkdl|14 years ago|reply
That's ridiculous.
>You don't write code that invokes undefined behavior or relies on unspecified behavior.
This happens all the time, and not only is code written that relies on unspecified behavior, vendors maintain backward compatibility for programs that do this.
http://www.joelonsoftware.com/articles/APIWar.html
> If you do, you're on your own and no one will touch your code with a ten foot pole if they can help it.
Not really. If you do this and you're a huge success, you're the center of the universe. If you do this and no one notices, you're fucked.
[+] [-] durin42|14 years ago|reply
IIRC there were also larger concerns about poorly implemented systems that depended on hash() being stable for persistence reasons. I don't know the details of that, as I appreciate the nod to backwards compatibility and not breaking people on a bugfix release.
[+] [-] eevee|14 years ago|reply
[+] [-] chubot|14 years ago|reply
[+] [-] haberman|14 years ago|reply
[+] [-] LoonyPandora|14 years ago|reply
[1] http://perldoc.perl.org/perlsec.html#Algorithmic-Complexity-...
[+] [-] axiak|14 years ago|reply
1: http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec...
[+] [-] jakubw|14 years ago|reply
[+] [-] sigzero|14 years ago|reply
[+] [-] gdg92989|14 years ago|reply
[+] [-] yk|14 years ago|reply
[+] [-] obtu|14 years ago|reply
[+] [-] kibwen|14 years ago|reply
[+] [-] DasIch|14 years ago|reply
[+] [-] hristov|14 years ago|reply
[+] [-] tedunangst|14 years ago|reply
[+] [-] mikeash|14 years ago|reply
[+] [-] bmm6o|14 years ago|reply
[+] [-] ken|14 years ago|reply
[+] [-] pyre|14 years ago|reply
[+] [-] lawnchair_larry|14 years ago|reply
[+] [-] jbarham|14 years ago|reply
[+] [-] BarkMore|14 years ago|reply