Serhiy Storchaka [Thu, 15 Jan 2026 07:59:15 +0000 (09:59 +0200)]
[3.13] gh-141805: Fix crash after concurrent addition objects with the same hash to set (GH-143815) (GH-143853)
This happens when the set contained several elements with the same hash,
and then some of them were removed.
(cherry picked from commit b8e925b4f8f6c5e28fbebc4f3965bf77610698b3)
[3.13] gh-106287: Do not write objects after an unmarshalling error (GH-132715) (GH-143833)
Writing out an object may involve a slot lookup, which is not safe to do with
an exception raised. In debug mode an assertion failure will occur if this
happens.
(cherry picked from commit ce8f5f98c6fc95a1704360d986a4d0281eeada79)
[3.13] gh-141004: Document old provisional names for vectorcall/code API (GH-143568) (GH-143829)
For vectorcall API, the underscore-prefixed provisional names
continue to be available per PEP 590:
https://peps.python.org/pep-0590/#finalizing-the-api
Use `versionadded`, `versionchanged`, and `:no-typesetting:`
to mark this up.
For PyCode API, use `:no-typesetting:` rather than `index::` so that
these are semantically documented as C functions.
(cherry picked from commit 7e8a1b5061313e03f99bc2ffa2062702bcc76426)
[3.13] gh-137113 docs: note readline no longer supported in REPL after 3.13 (GH-137142) (GH-143792)
Add a note to the readline module documentation stating that
Python 3.13 and later no longer supports readline in the default REPL,
as per gh-118840. Includes workaround using PYTHON_BASIC_REPL.
Gregory P. Smith [Wed, 14 Jan 2026 02:09:05 +0000 (18:09 -0800)]
[3.13] gh-143706: Fix sys.argv not set during multiprocessing forkserver `__main__` preload (GH-143717) (#143821)
The forkserver was not passing sys.argv to its main() function, causing
sys.argv to be empty during `__main__` module import in child processes. This
fixes a non-obvious regression inadvertently introduced by the gh-126631 main
preloading fix.
[3.13] gh-141004: Don't trigger `run-tests` when `Tools/check-c-api-docs/ignored_c_api.txt` is changed (GH-143583) (GH-143794)
gh-141004: Don't trigger `run-tests` when `Tools/check-c-api-docs/ignored_c_api.txt` is changed (GH-143583)
(cherry picked from commit 1176facbf21388ef29276ec55a95a66423f61191)
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
Terry Jan Reedy [Tue, 13 Jan 2026 03:58:30 +0000 (22:58 -0500)]
[3.13] gh-139707: Copy-strip change to idle.rst into idlelib (#143767)
Copy net new text in idle.rst from main to 3.13.
Make 3.13 docs and copy-strip idle.html to idlelib/help.html.
See https://github.com/python/cpython/issues/139707#issuecomment-3737374788
and PR #143718 message for more.
* Revert url to 'main' from '3.13'
The branch in the source links in the revised help.html
become '3.13' instead of 'main' because the html
was generated from an edited 3.13 version of idle.rst
instead being backported from main. This reversion
avoids the possibility of future backport merge conflicts.
The version makes no difference to the Help/IDLE doc display as
the url is currently neither displayed nor linked to the link title
-- 'Lib/idlelib'. If we do make the links live, we can use
sys.version_info to replace 'main' when main is no longer the source branch.
[3.13] gh-143544: Fix possible use-after-free in the JSON decoder when JSONDecodeError disappears during raising it (GH-143561) (#143734)
gh-143544: Fix possible use-after-free in the JSON decoder when JSONDecodeError disappears during raising it (GH-143561)
(cherry picked from commit c3157480601499565fd42a8afbdb0207328ac484)
Serhiy Storchaka [Mon, 12 Jan 2026 08:37:28 +0000 (10:37 +0200)]
[3.13] gh-143378: Fix use-after-free when BytesIO is concurrently mutated during write operations (GH-143408) (GH-143600)
PyObject_GetBuffer() can execute user code (e.g. via __buffer__), which may
close or otherwise mutate a BytesIO object while write() or writelines()
is in progress. This could invalidate the internal buffer and lead to a
use-after-free.
[3.13] gh-127750: Fix annotations in singledispatchmethod signature tests (GH-143571) (GH-143708)
These tests relied on a bug -- gh-84644, which is that singledispatch
doesn't verify the annotation is on the "first" parameter.
(cherry picked from commit 620a5b92693ac1b2cef1f90fd3c2dba1bb794552)
Serhiy Storchaka [Sun, 11 Jan 2026 12:34:36 +0000 (14:34 +0200)]
[3.13] gh-143638: Forbid cuncurrent use of the Pickler and Unpickler objects in C implementation (GH-143664) (GH-143687)
Previously, this could cause crash or data corruption, now concurrent calls
of methods of the same object raise RuntimeError.
(cherry picked from commit d1282efb2b847bf9274d78c5f15ea00499b2c894)
[3.13] gh-143006: Fix and optimize mixed comparison of float and int (GH-143084) (GH-143624)
When comparing negative non-integer float and int with the same number
of bits in the integer part, __neg__() in the int subclass returning
not an int caused an assertion error.
Now the integer is no longer negated. Also, reduced the number of
temporary created Python objects.
(cherry picked from commit 66bca383bd3b12d21e879d991d77b37a4c638f88)
Hold a strong reference to 'hook' while calling the default
unraisable took to log hook failure.
(cherry picked from commit 1d0baf1ae48f98b61cc869a82e1b7206298f653f)
Sam Gross [Thu, 8 Jan 2026 17:35:56 +0000 (12:35 -0500)]
[3.13] gh-142095: Use thread local frame info in `py-bt` and `py-bt-full` when available (gh-143371) (#143567)
In optimized and `-Og` builds, arguments and local variables are frequently
unavailable in gdb. This makes `py-bt` fail to print anything useful. Use the
`PyThreadState*` pointers `_Py_tss_gilstate` and `Py_tss_tstate` to find the
interpreter frame if we can't get the frame from the
`_PyEval_EvalFrameDefault` call.
(cherry picked from commit 49c3b0a67a77bb42e736cea7dcbc1aa8fa704074)
Co-authored-by: Victor Stinner <vstinner@python.org>
[3.13] gh-133315: Document that compat32 should not be used with MIMEPart/EmailMessage (GH-143307) (#143495)
gh-133315: Document that compat32 should not be used with MIMEPart/EmailMessage (GH-143307)
(cherry picked from commit ff7d1cec41f391270560b9f4726791d8476c6eba)
The documentation incorrectly stated that the file descriptor is not
inherited by child processes. In reality, the close-on-exec flag (when
available) only prevents inheritance across exec() calls, not fork().
(cherry picked from commit e79c9b703117d8b0e7c4d86b704e2e7f120db883)
Co-authored-by: ADITYA RAI <adi.hack1234@gmail.com> Co-authored-by: Victor Stinner <vstinner@python.org>
Stan Ulbrych [Tue, 6 Jan 2026 11:49:31 +0000 (11:49 +0000)]
[3.13] gh-143003: Fix possible shared buffer overflow in bytearray.extend() (GH-143086) (GH-143448)
When __length_hint__() returns 0 for non-empty iterator, the data can be
written past the shared 0-terminated buffer, corrupting it.
(cherry picked from commit 522563549a49d28e763635c58274a23a6055f041)
[3.13] gh-143148: Replace pre-commit with prek in CI (GH-143149) (#143359)
Co-authored-by: Johann Christensen <johannchristensen@outlook.de> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
[3.13] Update docstrings of `typing.Hashable`, `typing.List`, etc., to reflect their deprecation (GH-143295) (#143349)
Update docstrings of `typing.Hashable`, `typing.List`, etc., to reflect their deprecation (GH-143295)
(cherry picked from commit 18f3c59e57e5d30218210136060310310b10ff72)
Co-authored-by: Alex Waygood <Alex.Waygood@Gmail.com>
[3.13] gh-69686: Remove untrue part of `__import__` replacement docs (GH-143261) (#143282)
gh-69686: Remove untrue part of `__import__` replacement docs (GH-143261)
Remove untrue part of `__import__` replacement docs
The original statement effectively says that replacing `__import__` at global scope affects import statements, and not only that, but only import statements within the rest of the executing module. None of that has been true since at least Python 2.7, I think.
[3.13] gh-143200: fix UAFs in `Element.__{set,get}item__` when the element is concurrently mutated (GH-143226) (#143274)
gh-143200: fix UAFs in `Element.__{set,get}item__` when the element is concurrently mutated (GH-143226)
(cherry picked from commit b6b0e14b3d4aa9e9b89bef9a516177238883e1a7)
Changed condition to evaluate if timeout is less than or equals to 0. This is needed for simulated time environments such as Shadow where the time will match exactly on the boundary.
[3.13] gh-143004: Fix possible use-after-free in collections.Counter.update() (GH-143044) (GH-143167)
This happened when the Counter was mutated when incrementing
the value for an existing key.
(cherry picked from commit 86d904588e8c84c7fccb8faf84b343f03461970d)
[3.13] Correctly fold unknown-8bit originating from encoded words. (GH-142517) (#143147)
The unknown-8bit trick was designed to deal with unknown bytes in an
ASCII message, and it works fine for that. However, I also tried to
extend it to handle bytes that can't be decoded using the charset
specified in an encoded word, and there it fails because there can be
other non-ASCII characters that were *successfully* decoded. The fix is
simple: do the unknown-8bit encoding using the utf-8 codec. This is
especially appropriate since anyone trying to do recovery on an unknown
byte string will probably attempt utf-8 first.
(cherry picked from commit 1e17ccd030a2285ad53db5952360fffa33a8a877)
Co-authored-by: R. David Murray <rdmurray@bitdance.com> Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
[3.13] gh-142145: Avoid timing measurements in quadratic behavior test (gh-143105) (#143140)
Count the number of Element attribute accesses as a proxy for work done.
With double the amount of work, a ratio of 2.0 indicates linear scaling
and 4.0 quadratic scaling. Use 3.2 as an intermediate threshold.
(cherry picked from commit 57937a8e5e293f0dcba5115f7b7a11b1e0c9a273)
[3.13] gh-109263: Start process from spawn context in multiprocessing no longer have side effect (GH-135813) (#143116)
gh-109263: Start process from spawn context in multiprocessing no longer have side effect (GH-135813)
(cherry picked from commit c2202a7e661d40b1837cc0109cdb9ab40ec4e486)
Co-authored-by: AN Long <aisk@users.noreply.github.com>
[3.13] gh-143010: Prevent a TOCTOU issue by only calling open once (GH-143011) (#143079)
gh-143010: Prevent a TOCTOU issue by only calling open once (GH-143011)
RDM: per AZero13's research the 'x' option did not exist when this code was written, This
modernization can thus drop the fd trick in _create_carefully and just use open with 'x' to achieve the same goal more securely.
(cherry picked from commit a88d1b8dab4cbd3180dd7f1acb44d627db90323b)
Gregory P. Smith [Sun, 21 Dec 2025 07:03:24 +0000 (23:03 -0800)]
[3.13] gh-70647: Better promote how to safely parse yearless dates in datetime. (GH-116179) (#143038)
* gh-70647: Better promote how to safely parse yearless dates in datetime. (GH-116179)
* gh-70647: Better promote how to safely parse yearless dates in datetime.
Every four years people encounter this because it just isn't obvious.
This moves the footnote up to a note with a code example.
We'd love to change the default year value for datetime but doing
that could have other consequences for existing code. This documented
workaround *always* works.
* doctest code within note is bad, dedent.
* Update to match the error message.
* remove no longer referenced footnote
* ignore the warning in the doctest
* use Petr's suggestion for the docs to hide the warning processing
projects / thirdparty / Python / cpython.git / log
