gh-90949: add Expat API to prevent XML deadly allocations (CVE-2025-59375) (#139234)
Expose the XML Expat 2.7.2 mitigation APIs to disallow use of
disproportional amounts of dynamic memory from within an Expat
parser (see CVE-2025-59375 for instance).
The exposed APIs are available on Expat parsers, that is,
parsers created by `xml.parsers.expat.ParserCreate()`, as:
- `parser.SetAllocTrackerActivationThreshold(threshold)`, and
- `parser.SetAllocTrackerMaximumAmplification(max_factor)`.
Barney Gale [Wed, 24 Sep 2025 01:52:24 +0000 (02:52 +0100)]
GH-139174: Prepare `pathlib.Path.info` for new methods (#139175)
Merge `_WindowsPathInfo` and `_PosixPathInfo` classes into a new
`_StatResultInfo` class. On Windows, this means relying on `os.stat()`
rather than `os.path.isfile()` and friends, which is a little slower. But
there's value in making the code easier to maintain, and we're going to
need the stat result for implementing `size()`, `mode()` etc.
Also move the classes from `pathlib._os` to `pathlib` proper.
gh-67795: Accept any real numbers as timestamp and timeout (GH-139224)
Functions that take timestamp or timeout arguments now accept any
real numbers (such as Decimal and Fraction), not only integers or floats,
although this does not improve precision.
gh-130567: Fix possible crash in locale.strxfrm() (GH-138940)
On some macOS versions there was an off-by-one error in wcsxfrm() which
caused writing past the end of the array if its size was not calculated
by running wcsxfrm() first.
Co-authored-by: Ronald Oussoren <ronaldoussoren@mac.com>
gh-138709: Fix race condition in test_external_inspection (#139209)
Fix race condition in test_external_inspection thread status tests
The tests test_thread_status_detection and test_thread_status_gil_detection
had a race condition where the test could sample thread status between when
the sleeper thread sends its "ready" message and when it actually calls
time.sleep(). This caused intermittent test failures where the sleeper
thread would show as running (status=0) instead of idle (status=1 or 2).
The fix moves the thread status collection inside the retry loop and
specifically waits for the expected thread states before proceeding with
assertions. The retry loop now continues until:
- The sleeper thread shows as idle (status=1 for CPU mode, status=2 for GIL mode)
- The busy thread shows as running (status=0)
- Both thread IDs are found in the status collection
This ensures the test waits for threads to settle into their expected states
before making assertions, eliminating the race condition.
gh-138013: Split SignalsTest from test_io.test_general (#139079)
Increase parallelism by splitting out `SignalsTest` from test_general.
`SignalsTest` takes 24.2 seconds on my dev machine when fully enabled
making it the largest part of `test_io`. Code move done via copy/paste
then tweak imports.
After splitting `test_io.test_general` is down to 10.1 seconds on my dev
box with all parts enabled.
gh-139076: Fix regression in pydoc not showing extension functions (GH-139077)
Fix a bug in the pydoc module that was hiding functions in a Python
module if they were implemented in an extension module and the module did
not have __all__.
gh-138171: Migrate iOS testbed location and add Apple build script (#138176)
Adds tooling to generate and test an iOS XCframework, in a way that will also facilitate
adding other XCframework targets for other Apple platforms (tvOS, watchOS, visionOS and
even macOS, potentially).
--------- Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Peter Bierma [Fri, 19 Sep 2025 12:17:05 +0000 (08:17 -0400)]
gh-126016: Remove bad assertion in `PyThreadState_Clear` (GH-139158)
In the _interpreters module, we use PyEval_EvalCode() to run Python code in another interpreter. However, when the process receives a KeyboardInterrupt, PyEval_EvalCode() will jump straight to finalization rather than returning. This prevents us from cleaning up and marking the thread as "not running main", which triggers an assertion in PyThreadState_Clear() on debug builds. Since everything else works as intended, remove that assertion.
gh-81148: Eliminate unnecessary check in _strptime when determining AM/PM (#13428)
* bpo-36967: Eliminate unnecessary check in _strptime when determining AM/PM
* Pauls suggestion to refactor test
* Fix test
---------
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com> Co-authored-by: Paul Ganssle <1377457+pganssle@users.noreply.github.com>
Peter Bierma [Thu, 18 Sep 2025 20:04:01 +0000 (16:04 -0400)]
gh-136003: Skip non-daemon threads when exceptions occur during finalization (GH-139129)
During finalization, we need to mark all non-daemon threads as daemon to quickly shut down threads when sending CTRL^C to the process. This was a minor regression from GH-136004.
Peter Bierma [Thu, 18 Sep 2025 12:10:41 +0000 (08:10 -0400)]
Document `Py_AddPendingCall()` change with subinterpreters in 3.12 (GH-139117)
Prior to 3.9, Py_AddPendingCall() would always run pending calls in the main interpreter, but then each interpreter got their own ceval state, and they were scheduled for any interpreter. In GH-104813, this was undone, so Py_AddPendingCall() would always schedule for the main interpreter.
Peter Bierma [Thu, 18 Sep 2025 11:00:50 +0000 (07:00 -0400)]
gh-139098: Use multiphase initialization in `_testcapi` (GH-139102)
Use multiphase initialization in the _testcapi module to allow loading in subinterpreters. The isolation here isn't perfect as there's still some use of globals, but _testcapi should generally work in other interpreters.
Malcolm Smith [Thu, 18 Sep 2025 10:41:21 +0000 (11:41 +0100)]
Make Android streams respect the unbuffered (`-u`) option (#138806)
Android pipes stdout/stderr to the log, which means every write to the log
becomes a separate log line. As a result, most practical uses of stdout/stderr
should be buffered; but it doesn't hurt to preserve unbuffered handling in case
it's useful.
gh-138720: Make Buffered closed check match flush (GH-138724)
In `_io__Buffered_flush_impl` the macro `CHECK_CLOSED` is used to check
the `buffered*` is in a good state to be flushed. That differs slightly
from `buffered_closed`.
In some cases, that difference would result in `close()` thinking the
file needed to be flushed and closed while `flush()` thought the file
was already closed.
This could happen during GC and would result in an unraisable exception.
gh-138813: Fix mutable default kwargs={} in multiprocessing BaseProcess and DummyProcess to use None (GH-138814)
* gh-138813: Default `BaseProcess` `kwargs` to `None` (#138814)
Set `BaseProcess.__init__(..., kwargs=None)` and initialize `kwargs` with
`dict(kwargs) if kwargs else {}`. This avoids a shared mutable default and
matches threading.Thread behavior.
projects / thirdparty / Python / cpython.git / log
