Matt Wozniski [Fri, 12 Jun 2026 01:21:04 +0000 (21:21 -0400)]
gh-151297: Fix undefined behavior in `_PyObject_MiRealloc` (GH-151358)
The standard says that a call to `memcpy` must pass a valid source and
destination pointer even if the size is 0, so we must avoid calling
`memcpy` when our source pointer is NULL. If we don't, an optimizing
compiler can decide that the pointer must be non-NULL based on the
presence of UB, and optimize out checks for null pointers.
Specifically, note that the standard says:
Where an argument declared as size_t n specifies the length of the
array for a function, n can have the value zero on a call to that
function. Unless explicitly stated otherwise in the description of
a particular function in this subclause, pointer arguments on such
a call shall still have valid values, as described in 7.1.4.
And section 7.1.4 says:
If an argument to a function has an invalid value (such as a value
outside the domain of the function, or a pointer outside the address
space of the program, or a null pointer, or a pointer to
non-modifiable storage when the corresponding parameter is not
const-qualified) or a type (after default argument promotion) not
expected by a function with a variable number of arguments, the
behavior is undefined.
The specification for `memcpy` doesn't state that it's allowed to be
called with null pointers, and Linux's `/usr/include/string.h` declares
`memcpy` as `__nonnull ((1, 2))`.
Pieter Eendebak [Thu, 11 Jun 2026 16:38:49 +0000 (18:38 +0200)]
gh-150942: Speed up json.loads array and object decoding (GH-150945)
Append parsed values to the result list with _PyList_AppendTakeRef and
insert key/value pairs with _PyDict_SetItem_Take2, which take ownership of
the references instead of incref-ing on insert and then decref-ing the
local. This removes a reference-count round-trip per element (and, on the
free-threaded build, a per-append lock).
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Victor Stinner [Wed, 10 Jun 2026 19:39:03 +0000 (21:39 +0200)]
gh-151278: Fix test_faulthandler on UBSan (#151279)
* Py_FatalError() no longer calls _PyFaulthandler_Fini() if it
doesn't hold the GIL.
* Skip test_faulthandler tests raising signals if run with UBSan.
* Enable test_faulthandler in GitHub Action "Reusable Sanitizer".
Victor Stinner [Wed, 10 Jun 2026 16:43:38 +0000 (18:43 +0200)]
gh-151253: Dump the Python path configuration on _PyCodec_InitRegistry() failure (#151250)
If "import encodings" fails at Python startup, dump the Python path
configuration to help users debugging their configuration. The
encodings module is the first module imported during Python startup.
tonghuaroot (童话) [Wed, 10 Jun 2026 13:03:49 +0000 (21:03 +0800)]
gh-143988: Fix re-entrant mutation crashes in socket sendmsg/recvmsg_into (#143987)
Fix crashes in socket.sendmsg() and socket.recvmsg_into() that could
occur if buffer sequences are mutated re-entrantly during argument
parsing via __buffer__ protocol callbacks.
The bug occurs because:
1. PySequence_Fast() returns the original list object when the input
is already a list (not a copy).
2. During iteration, PyObject_GetBuffer() triggers __buffer__
callbacks which may clear the list.
3. Subsequent iterations access invalid memory (heap OOB read).
The fix replaces PySequence_Fast() with PySequence_Tuple() which
always creates a new tuple, ensuring the sequence cannot be mutated
during iteration.
Bernát Gábor [Wed, 10 Jun 2026 13:01:01 +0000 (06:01 -0700)]
gh-89554: Document socket.SocketType as a class (#150683)
socket.SocketType is a class (re-exported from _socket as an alias of
_socket.socket, the base class of socket.socket), but was documented with
the ".. data::" directive, so ":class:" cross-references to it cannot
resolve against a py:class target.
Switch the entry to ".. class::", correct the misleading description
(SocketType is the base class of the socket type, not "type(socket(...))"
which is socket.socket; addresses gh-88427), move it into the Socket
Objects section, and document the socket object methods and attributes
nested under the socket class, dropping the redundant "socket." prefix.
Serhiy Storchaka [Wed, 10 Jun 2026 10:34:55 +0000 (13:34 +0300)]
gh-80384: Check that callback is callable at weak reference creation (GH-151145)
* Python functions weakref.ref() and weakref.proxy() now raise TypeError
if the callback argument is not callable or None.
* C functions PyWeakref_NewRef() and PyWeakref_NewProxy() now raise TypeError
if the callback argument is not callable, None, or NULL.
Taeknology [Wed, 10 Jun 2026 10:10:15 +0000 (19:10 +0900)]
gh-149716: Document PySlot_DATA for Py_mod_gil and Py_mod_multiple_interpreters (GH-150053)
Add short code examples mirroring the existing Py_mod_abi example,
so it is clear which slot definition macro (PySlot_DATA, PySlot_INT64,
or PySlot_UINT64) to use for these two slots.
gh-150700: Fix class-scope inline comprehensions when nested scopes reference `__class__` and friends (#150735)
* Fix class-scope inline comprehensions when nested scopes reference `__class__` and friends
In `inline_comprehension()`, when `__class__` / `__classdict__` /
`__conditional_annotations__` appears as `FREE` in a comprehension's
symbol table because a nested scope captured it (e.g. nested lambdas),
this name is still discarded from `comp_free` unconditionally.
This prevents `drop_class_free()` from seeing it, so the appropriate
`ste_needs_(...)` flag is never set on the enclosing class.
That leads to `codegen_make_closure()` throwing `SystemError` when it
couldn't find `__class__` / `__classdict__` /
`__conditional_annotations__` in the class's cellvars.
From now on we just discard from `comp_free` when no child scope
(e.g. a lambda) still needs the name as `FREE`. When a child scope does
need it, keep it in `comp_free` so `drop_class_free()` can set the
appropriate flag and the class creates the implicit cell.
* Fix tests
* Fix typo
* Fix formatting
* Add test checking validity of `__class__` returned
TextIOWrapper keeps its underlying stream in a member called
`self->buffer`. That stream can be detached by user code, such as custom
`.flush` implementations resulting in `self->buffer` being set to NULL.
The implementation often checked at the start of functions if
`self->buffer` is in a good state, but did not always recheck after
other Python code was called which could modify `self->buffer`.
The cases which need to be re-checked are hard to spot so rather than
rely on reviewer effort create better safety by making all self->buffer
access go through helper functions.
Thank you yihong0618 for the test, NEWS and initial implementation in
gh-143041.
Co-authored-by: yihong0618 <zouzou0208@gmail.com> Co-authored-by: Victor Stinner <vstinner@python.org>
projects / thirdparty / Python / cpython.git / log
