Serhiy Storchaka [Tue, 17 Mar 2026 10:55:15 +0000 (12:55 +0200)]
[3.14] gh-144545: Improve handling of default values in Argument Clinic (GH-146016) (GH-146052)
* Add the c_init_default attribute which is used to initialize the C variable
if the default is not explicitly provided.
* Add the c_default_init() method which is used to derive c_default from
default if c_default is not explicitly provided.
* Explicit c_default and py_default are now almost always have precedence
over the generated value.
* Add support for bytes literals as default values.
* Improve support for str literals as default values (support non-ASCII
and non-printable characters and special characters like backslash or quotes).
* Fix support for str and bytes literals containing trigraphs, "/*" and "*/".
* Improve support for default values in converters "char" and "int(accept={str})".
* Converter "int(accept={str})" now requires 1-character string instead of
integer as default value.
* Add support for non-None default values in converter "Py_buffer": NULL,
str and bytes literals.
* Improve error handling for invalid default values.
* Rename Null to NullType for consistency.
(cherry picked from commit 99e2c5eccd2b83ac955125522a952a4ff5c7eb43)
[3.14] gh-135329: Remove flaky test_repl_eio test (gh-145932) (#146028)
The test doesn't actually test any pyrepl code (it runs Python with -S)
and has a race condition that causes intermittent timeouts on CI.
(cherry picked from commit e18abc6a1f1b60434b529d4c1ff4855acde0fd13)
[3.14] gh-145599, CVE 2026-3644: Reject control characters in `http.cookies.Morsel.update()` (GH-145600) (#146023)
gh-145599, CVE 2026-3644: Reject control characters in `http.cookies.Morsel.update()` (GH-145600)
Reject control characters in `http.cookies.Morsel.update()` and `http.cookies.BaseCookie.js_output`.
(cherry picked from commit 57e88c1cf95e1481b94ae57abe1010469d47a6b4)
Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com> Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Victor Stinner <victor.stinner@gmail.com>
[3.14] gh-145649: Fix man page text wrapping for -X option (GH-145656) (#146015)
gh-145649: Fix man page text wrapping for -X option (GH-145656)
Replace hardcoded space indentation with proper troff macros
(.TP, .RS/.RE, .IP) for -X sub-options so text wraps correctly
at any terminal width.
(cherry picked from commit 36b5284f04b0a946a7d915bcd656534c9b4dbd85)
Co-authored-by: Matt Van Horn <mvanhorn@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
[3.14] gh-140814: Fix freeze_support() setting start method as side effect (GH-144608) (#146008)
gh-140814: Fix freeze_support() setting start method as side effect (GH-144608)
freeze_support() called get_start_method() without allow_none=True,
which locked in the default start method context. This caused a
subsequent set_start_method() call to raise "context has already been
set". Use allow_none=True and accept None as a matching value, since
spawn.freeze_support() independently detects spawned child processes.
Test that freeze_support() does not lock in the default start method,
which would prevent a subsequent set_start_method() call.
(cherry picked from commit ee5318025b0f9f4d30d9358627df68181e0d223f)
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
[3.14] gh-145986: Avoid unbound C recursion in `conv_content_model` in `pyexpat.c` (CVE 2026-4224) (GH-145987) (#145995)
gh-145986: Avoid unbound C recursion in `conv_content_model` in `pyexpat.c` (CVE 2026-4224) (GH-145987)
Fix C stack overflow (CVE-2026-4224) when an Expat parser
with a registered `ElementDeclHandler` parses inline DTD
containing deeply nested content model.
[3.14] gh-143636: fix a crash when calling ``__replace__`` on invalid `SimpleNamespace` instances (GH-143655) (#145938)
gh-143636: fix a crash when calling ``__replace__`` on invalid `SimpleNamespace` instances (GH-143655)
(cherry picked from commit 97968564b61965f2a65a9be8af731cee6913eb7a)
[3.14] Docs: except with multiple exceptions parentheses not required (GH-145848) (#145904)
Docs: except with multiple exceptions parentheses not required (GH-145848)
As of PEP 758 the except statement doesn't require parentheses anymore for exception tuples.
(cherry picked from commit 6d1e9ceed3e70ebc39953f5ad4f20702ffa32119)
[3.14] gh-145801: Use gcc -fprofile-update=atomic for PGO builds (GH-145802) (#145892)
gh-145801: Use gcc -fprofile-update=atomic for PGO builds (GH-145802)
When Python build is optimized with GCC using PGO, use
-fprofile-update=atomic option to use atomic operations when updating
profile information. This option reduces the risk of gcov Data Files
(.gcda) corruption which can cause random GCC crashes.
(cherry picked from commit 08a018ebe0d673e9c352f790d2e4604d69604188)
Co-authored-by: Victor Stinner <vstinner@python.org>
[3.14] gh-140594: Fix an out of bounds read when feeding NUL byte to PyOS_StdioReadline() (GH-140910) (#145852)
gh-140594: Fix an out of bounds read when feeding NUL byte to PyOS_StdioReadline() (GH-140910)
(cherry picked from commit 86a0756234df7ce42fa4731c91067cb7f2e244d5)
Modifies the Emscripten build script to allow for caching of dependencies, and
for automated installation of new EMSDK versions.
(cherry picked from commit ebb150e76ab4988fdcd5e8caa36b9014497573a5)
Co-authored-by: Hood Chatham <roberthoodchatham@gmail.com> Co-authored-by: Russell Keith-Magee <russell@keith-magee.com>
Previously, component-wise relative error bound was tested. However,
such bound can't exist already for complex multiplication as one can be
used to perform subtraction of floating-point numbers, e.g. x and y for
z0=1+1j and z1=x+yj.
```pycon
>>> x, y = 1e-9+1j, 1+1j
>>> a = x*y*y.conjugate()/2;a
(1.0000000272292198e-09+1j)
>>> b = x*(y*y.conjugate()/2);b
(1e-09+1j)
>>> b == x
True
>>> (a.real-b.real)/math.ulp(b.real) 131672427.0
```
(cherry picked from commit c4333a12708a917d1cfb6418c04be45793ecc392)
Co-authored-by: Sergey B Kirpichev <skirpichev@gmail.com>
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Co-authored-by: Savannah Ostrowski <savannah@python.org> Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com> Co-authored-by: Stan Ulbrych <stan@ulbrych.org>
Sam Gross [Tue, 10 Mar 2026 13:31:52 +0000 (09:31 -0400)]
[3.14] gh-145685: Stop the world when updating MRO of existing types (gh-145707) (#145715)
We already have a stop-the-world pause elsewhere in this code path
(type_set_bases) and this makes will make it easier to avoid contention
on the TYPE_LOCK when looking up names in the MRO hierarchy.
[3.14] gh-145615: Fix mimalloc page leak in the free-threaded build (gh-145626) (#145691)
Fix three issues that caused mimalloc pages to be leaked until the
owning thread exited:
1. In _PyMem_mi_page_maybe_free(), move pages out of the full queue
when relying on QSBR to defer freeing the page. Pages in the full
queue are never searched by mi_page_queue_find_free_ex(), so a page
left there is unusable for allocations.
2. Move _PyMem_mi_page_clear_qsbr() from _mi_page_free_collect() to
_mi_page_thread_free_collect() where it only fires when all blocks
on the page are free (used == 0). The previous placement was too
broad: it cleared QSBR state whenever local_free was non-NULL, but
_mi_page_free_collect() is called from non-allocation paths (e.g.,
page visiting in mi_heap_visit_blocks) where the page is not being
reused.
3. In _PyMem_mi_page_maybe_free(), use the page's heap tld to find the
correct thread state for QSBR list insertion instead of
PyThreadState_GET(). During stop-the-world pauses, the function may
process pages belonging to other threads, so the current thread
state is not necessarily the owner of the page.
[3.14] gh-145219: Add Emscripten cross-build and clean configurability (GH-145581) (#145654)
Modifies the Emscripten build script to allow for custom cross-build directory
names, and to only clean Emscripten-specific paths (optionally including the
build python).
(cherry picked from commit 015613384fea7a00bb2077760e325e5baab6814b)
Co-authored-by: Hood Chatham <roberthoodchatham@gmail.com> Co-authored-by: Russell Keith-Magee <russell@keith-magee.com>
[3.14] gh-145177: Support multiple Emscripten versions for Emscripten buildbot (GH-145180) (#145582)
Adds an `--emsdk-cache` argument to the Emscripten build script and an
emscripten_version.txt file. If the `--emsdk-cache` argument is passed, the build script
will look in `emscripten_version.txt` to get the expected emsdk version is installed in
a folder called e.g., 4.0.12 in the directory indicated by the `--emsdk-cache` argument,
and run the build with that Emscripten tooling activated.
(cherry picked from commit c3fb0d9d96902774c08b199dda0479a8d31398a5)
[3.14] gh-145376: Fix crashes in `md5module.c` and `hmacmodule.c` (GH-145422) (#145610)
gh-145376: Fix crashes in `md5module.c` and `hmacmodule.c` (GH-145422)
Fix a possible NULL pointer dereference in `md5module.c` and a double-free in `hmacmodule.c`.
Those crashes only occur in error paths taken when the interpreter fails to allocate memory.
(cherry picked from commit c1d77683213c400fca144692654845e6f5418981)
[3.14] gh-144370: Disallow usage of control characters in status in wsgiref.handlers for security (GH-144371) (#145586)
gh-144370: Disallow usage of control characters in status in wsgiref.handlers for security (GH-144371)
Disallow usage of control characters in status in wsgiref.handlers
to prevent HTTP header injections.
(cherry picked from commit d931725bc850cd096f6703bc285e885f1e015f05)
Co-authored-by: Benedikt Johannes <benedikt.johannes.hofer@gmail.com> Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Victor Stinner <vstinner@python.org>
[3.14] gh-122941: Fix test_launcher sporadic failures via py.ini isolation (GH-145090)
Adds _PYLAUNCHER_INIDIR as a private variable since the launcher is deprecated and not getting new features.
(cherry picked from commit 6cdbd7bc5d4ee63459d03a944477ea8671a05198)
[3.14] gh-145557: Check ctypes is available in test_external_inspection (GH-145558) (#145565)
gh-145557: Check ctypes is available in test_external_inspection (GH-145558)
Currently TestGetStackTrace.test_self_trace_after_ctypes_import() will fail if
the _ctypes extension is not built. Make it match test_ctypes by skipping
the test in that case.
(cherry picked from commit 7232883adfc28f94a62d2e79c897db59711702d7)
Co-authored-by: Alex Malyshev <lex.malyshev@gmail.com>
[3.14] gh-143304: Fix ctypes.CDLL to honor handle parameter on POSIX systems (GH-143318) (GH-145172)
The handle parameter was being ignored in the POSIX implementation
of CDLL._load_library(), causing it to always call _dlopen() even
when a valid handle was provided. This was a regression introduced
in recent refactoring.
(cherry picked from commit 27ded243485670fa836c9bb421e37a6ef16eca8e)
Co-authored-by: Arjit Singh Grover <143692910+Koolvansh07@users.noreply.github.com> Co-authored-by: Petr Viktorin <encukou@gmail.com>
[3.14] gh-145455: Show output of blurb & sphinx-build version commands (GH-145457) (#145461)
gh-145455: Show output of blurb & sphinx-build version commands (GH-145457)
In gh-145455, an outdated dependency caused an import error that was not
printed out (`2>&1`); the message instead said that the tools are missing.
Don't redirect stderr, to show warnings and failures.
Also, switch `blurb` to output a version on a single line (`--version` rather
than `help`), and, and don't redirect stdout either.
This results in two version info lines being printed out. These get drowned
in typical Sphinx output, and can be helpful when debugging.
(cherry picked from commit f1de65b3669226d563802a32b78a2294e971151a)
projects / thirdparty / Python / cpython.git / log
