Bénédikt Tran [Wed, 8 Oct 2025 10:09:45 +0000 (12:09 +0200)]
[3.14] gh-136912: fix handling of `OverflowError` in `hmac.digest` (GH-136917) (#137116)
The OpenSSL and HACL* implementations of HMAC single-shot
digest computation reject keys whose length exceeds `INT_MAX`
and `UINT32_MAX` respectively. The OpenSSL implementation
also rejects messages whose length exceed `INT_MAX`.
Using such keys in `hmac.digest` previously raised an `OverflowError`
which was propagated to the caller. This commit mitigates this case by
making `hmac.digest` fall back to HMAC's pure Python implementation
which accepts arbitrary large keys or messages.
This change only affects the top-level entrypoint `hmac.digest`, leaving
`_hashopenssl.hmac_digest` and `_hmac.compute_digest` untouched.
[3.14] gh-137706: make typing._is_unpacked_typevartuple check for `True` instead of truthy (GH-137712) (#138574)
gh-137706: make typing._is_unpacked_typevartuple check for `True` instead of truthy (GH-137712)
(cherry picked from commit 7e652f402f84b412ec46cec42cb103f489a0087e)
[3.14] GH-137484: Have `Tools/wasm/wasi` use the build triple instead of "build" (GH-137485) (#137487)
GH-137484: Have `Tools/wasm/wasi` use the build triple instead of "build" (GH-37485)
This should help prevent issuse where something like a container is used to do one build and then someone tries to build again locally.
(cherry picked from commit 0953200b136bcb3293cc1bd57a062796ffcd529d)
Co-authored-by: Brett Cannon <brett@python.org> Co-authored-by: Petr Viktorin <encukou@gmail.com>
[3.14] gh-138813: Fix mutable default kwargs={} in multiprocessing BaseProcess and DummyProcess to use None (GH-138814) (#139084)
gh-138813: Fix mutable default kwargs={} in multiprocessing BaseProcess and DummyProcess to use None (GH-138814)
* gh-138813: Default `BaseProcess` `kwargs` to `None` (GH-138814)
Set `BaseProcess.__init__(..., kwargs=None)` and initialize `kwargs` with
`dict(kwargs) if kwargs else {}`. This avoids a shared mutable default and
matches threading.Thread behavior.
Co-authored-by: Denis Sergeev <newjimbatler00@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
[3.14] gh-126631: gh-137996: fix pre-loading of `__main__` (GH-135295) (#138607)
gh-126631: gh-137996: fix pre-loading of `__main__` (GH-135295)
gh-126631: gh-137996: fix pre-loading of `__main__`
The `main_path` parameter was renamed `init_main_from_name`, update the
forkserver code accordingly. This was leading to slower startup times when people
were trying to preload the main module.
Co-authored-by: Duane Griffin <duaneg@dghda.com> Co-authored-by: Gregory P. Smith <greg@krypto.org> Co-authored-by: Petr Viktorin <encukou@gmail.com> Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
[3.14] GH-137243: Have `Tools/wasm/wasi` detect WASI SDK installs in `/opt` when the release tarball is extracted (GH-137244) (GH-137250)
GH-137243: Have `Tools/wasm/wasi` detect WASI SDK installs in `/opt` when the release tarball is extracted (GH-137244)
(cherry picked from commit 2f1a9f2ed498b3cb2dd5f4616bf3a07fd1ad074c)
[3.14] gh-139700: Check consistency of the zip64 end of central directory record (GH-139702) (GH-139706)
Support records with "zip64 extensible data" if there are no bytes
prepended to the ZIP file.
(cherry picked from commit 162997bb70e067668c039700141770687bc8f267)
[3.14] gh-138432: Improved invalid path checking in zoneinfo.reset_tzpath() (GH-138433) (GH-138777)
* Improve error messages for path-like relative paths and path-like bytes paths.
* TZPATH is now always a tuple of strings.
(cherry picked from commit 859aecc33b82f45e5b7ae30138d28f2a2f33a575)
[3.14] Touch up `Setup.local` handling in `Tools/wasm/wasi` (GH-137051) (GH-137053)
Touch up `Setup.local` handling in `Tools/wasm/wasi` (GH-137051)
The comment in the generated file is now more self-explanatory. The checks for unexpected file contents are also strengthened.
(cherry picked from commit ec7fad79d24e79961b86e17177a32b32bb340fe5)
Co-authored-by: Brett Cannon <brett@python.org> Co-authored-by: Zachary Ware <zach@python.org>
[3.14] gh-126008: Improve docstrings for Tkinter cget and configure methods (GH-133303) (GH-137660)
* Explain the behavior of Widget.configure() depending on arguments.
* Unify descriptions.
* Replace "resource" with "option".
(cherry picked from commit 027cacb67ce1b16a96a6a2866299803eff16a4a6)
[3.14] gh-134466: Don't run when termios is inaccessible (GH-138911) (GH-139029)
Without the ability to set required capabilities, the REPL cannot
function properly (syntax highlighting and multiline editing can't
work).
We refuse to work in this degraded state.
[3.14] gh-139076: Fix regression in pydoc not showing extension functions (GH-139077) (GH-139160)
Fix a bug in the pydoc module that was hiding functions in a Python
module if they were implemented in an extension module and the module did
not have __all__.
(cherry picked from commit 7257b24140ac1b39fb8cfd4610134ec79575a396)
[3.14] gh-130567: Fix possible crash in locale.strxfrm() (GH-138940) (GH-139265)
On some macOS versions there was an off-by-one error in wcsxfrm() which
caused writing past the end of the array if its size was not calculated
by running wcsxfrm() first.
[3.14] gh-139283: correctly handle `size` limit in `cursor.fetchmany()` (GH-139296) (GH-139441)
Passing a negative or zero size to `cursor.fetchmany()` made it fetch all rows
instead of none.
While this could be considered a security vulnerability, it was decided to treat
this issue as a regular bug as passing a non-sanitized *size* value in the first
place is not recommended.
(cherry picked from commit bc172ee8307431caf4c89612e9e454081635191f)
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Peter Bierma <zintensitydev@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>
* Only lock the SSL context, not the SSL socket.
This solves a deadlock when a socket is blocked while waiting on data,
which ended up causing a major regression in 3.13.6 (see gh-137583).
---------
Co-authored-by: Peter Bierma <zintensitydev@gmail.com>
[3.14] gh-136914: Fix support of cached functions and properties in DocTest's lineno computation (GH-136930) (#137616)
gh-136914: Fix support of cached functions and properties in DocTest's lineno computation (GH-136930)
Previously, DocTest's lineno of functions and methods decorated with
functools.cache(), functools.lru_cache() and functools.cached_property()
was not properly returned (None was returned) because the
computation relied on inspect.isfunction() which does not consider the
decorated result as a function.
We now use the more generic inspect.isroutine(), as elsewhere
in doctest's logic.
[3.14] gh-137433: Fix deadlock with stop-the-world and daemon threads (gh-137735) (GH-138965)
There was a deadlock originally seen by Memray when a daemon thread
enabled or disabled profiling while the interpreter was shutting down.
I think this could also happen with garbage collection, but I haven't
seen that in practice.
The daemon thread could be hung while trying acquire the global rwmutex
that prevents overlapping global and per-interpreter stop-the-world events.
Since it already held the main interpreter's stop-the-world lock, it
also deadlocked the main thread, which is trying to perform interpreter
finalization.
Swap the order of lock acquisition to prevent this deadlock.
Additionally, refactor `_PyParkingLot_Park` so that the global buckets
hashtable is left in a clean state if the thread is hung in
`PyEval_AcquireThread`.
[3.14] gh-137044: Support large limit values in getrlimit() and setrlimit() (GH-137338) (#137506)
gh-137044: Support large limit values in getrlimit() and setrlimit() (GH-137338)
* Return large limit values as positive integers instead of negative integers
in resource.getrlimit().
* Accept large values and reject negative values (except RLIM_INFINITY)
for limits in resource.setrlimit().
(cherry picked from commit baefaa6cba1d69efd2f930cdc56bca682c54b139)
Signed-off-by: Ho Kim <ho.kim@ulagbulag.io> Co-authored-by: Ho Kim <ho.kim@ulagbulag.io> Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
[3.14] Update the dbm documentation (GH-137919) (#137962)
Unify documentation for all backends, enumerate all not implemented mapping
methods, document particularities of implemented mapping methods.
(cherry picked from commit 8700404f8688d6a56279dce47a5a5802ec53ed06)
[3.14] gh-135944: Add a "Runtime Components" Section to the Execution Model Docs (gh-135945) (#139509)
gh-135944: Add a "Runtime Components" Section to the Execution Model Docs (gh-135945)
The section provides a brief overview of the Python runtime's execution environment. It is meant to be implementation agnostic,
(cherry picked from commit 46a1f0a9ff6e7cbea111dcb35e7aced1a7a3f3dc)
Co-authored-by: Eric Snow <ericsnowcurrently@gmail.com>
[3.14] gh-133467: fix data race in `type_set_name` (GH-137302) (#137303)
gh-133467: fix data race in `type_set_name` (GH-137302)
Fix data race in `type_set_name` by assigning name under stop the world pause making it thread safe in free-threading.
(cherry picked from commit e99bc7fd44bbbf2464c37d5a57777ac0e1264c37)
[3.14] gh-137185: Fix `_Py_DumpStack()` async signal safety (gh-137187) (gh-137206)
Call backtrace() once when installing the signal handler to ensure that
libgcc is dynamically loaded outside the signal handler.
This fixes a "signal-unsafe call inside of a signal" TSan error from
test_faulthandler.test_enable_fd.
(cherry picked from commit 11a8652e25341e696b06d8dc7a18e8c3ee8059e4)
[3.14] gh-135444: fix `asyncio.DatagramTransport.sendto` to account for datagram header size when data cannot be sent (GH-135445) (#137245)
gh-135444: fix `asyncio.DatagramTransport.sendto` to account for datagram header size when data cannot be sent (GH-135445)
(cherry picked from commit e3ea8613519bd08aa6ce7d142403e644ae32d843)
Co-authored-by: Wulian233 <1055917385@qq.com> Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Co-authored-by: Petr Viktorin <encukou@gmail.com>
[3.14] gh-136516: Mention installation artifacts as de-facto resources (GH-136419) (#137038)
gh-136516: Mention installation artifacts as de-facto resources (GH-136419)
Files like NUL on windows are, from `importlib.resources` point of
view, an artifact caused by installing to a filesystem directory.
Mention these.
(cherry picked from commit fac4964fdb2ae12969b485de496dd6d064fdbe99)
Sam Gross [Tue, 7 Oct 2025 17:45:23 +0000 (13:45 -0400)]
[3.14] gh-137400: Fix thread-safety issues when profiling all threads (gh-137518) (gh-137730)
There were a few thread-safety issues when profiling or tracing all
threads via PyEval_SetProfileAllThreads or PyEval_SetTraceAllThreads:
* The loop over thread states could crash if a thread exits concurrently
(in both the free threading and default build)
* The modification of `c_profilefunc` and `c_tracefunc` wasn't
thread-safe on the free threading build.
(cherry picked from commit a10152f8fd0f4b291e53d646cffe22fbeec73e1e)
Co-authored-by: Sam Gross <colesbury@gmail.com> Co-authored-by: Petr Viktorin <encukou@gmail.com>
projects / thirdparty / Python / cpython.git / log
