From e6110efd03259acd1895cff63fbfa115ac5f16dc Mon Sep 17 00:00:00 2001 From: Ramin Farajpour Cami Date: Sun, 15 Feb 2026 18:09:57 +0330 Subject: [PATCH 1/4] gh-144759: Fix undefined behavior from NULL pointer arithmetic in lexer (#144788) Guard against NULL pointer arithmetic in `_PyLexer_remember_fstring_buffers` and `_PyLexer_restore_fstring_buffers`. When `start` or `multi_line_start` are NULL (uninitialized in tok_mode_stack[0]), performing `NULL - tok->buf` is undefined behavior. Add explicit NULL checks to store -1 as sentinel and restore NULL accordingly. Add test_lexer_buffer_realloc_with_null_start to test_repl.py that exercises the code path where the lexer buffer is reallocated while tok_mode_stack[0] has NULL start/multi_line_start pointers. This triggers _PyLexer_remember_fstring_buffers and verifies the NULL checks prevent undefined behavior. --- Lib/test/test_repl.py | 16 ++++++++++++++++ ...026-02-13-12-00-00.gh-issue-144759.d3qYpe.rst | 4 ++++ Parser/lexer/buffer.c | 8 ++++---- 3 files changed, 24 insertions(+), 4 deletions(-) create mode 100644 Misc/NEWS.d/next/Core_and_Builtins/2026-02-13-12-00-00.gh-issue-144759.d3qYpe.rst diff --git a/Lib/test/test_repl.py b/Lib/test/test_repl.py index 6cdb1ca65c6aed..40965835bcec00 100644 --- a/Lib/test/test_repl.py +++ b/Lib/test/test_repl.py @@ -143,6 +143,22 @@ def test_multiline_string_parsing(self): output = kill_python(p) self.assertEqual(p.returncode, 0) + @cpython_only + def test_lexer_buffer_realloc_with_null_start(self): + # gh-144759: NULL pointer arithmetic in the lexer when start and + # multi_line_start are NULL (uninitialized in tok_mode_stack[0]) + # and the lexer buffer is reallocated while parsing long input. + long_value = "a" * 2000 + user_input = dedent(f"""\ + x = f'{{{long_value!r}}}' + print(x) + """) + p = spawn_repl() + p.stdin.write(user_input) + output = kill_python(p) + self.assertEqual(p.returncode, 0) + self.assertIn(long_value, output) + def test_close_stdin(self): user_input = dedent(''' import os diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2026-02-13-12-00-00.gh-issue-144759.d3qYpe.rst b/Misc/NEWS.d/next/Core_and_Builtins/2026-02-13-12-00-00.gh-issue-144759.d3qYpe.rst new file mode 100644 index 00000000000000..46786d0672b0a8 --- /dev/null +++ b/Misc/NEWS.d/next/Core_and_Builtins/2026-02-13-12-00-00.gh-issue-144759.d3qYpe.rst @@ -0,0 +1,4 @@ +Fix undefined behavior in the lexer when ``start`` and ``multi_line_start`` +pointers are ``NULL`` in ``_PyLexer_remember_fstring_buffers()`` and +``_PyLexer_restore_fstring_buffers()``. The ``NULL`` pointer arithmetic +(``NULL - valid_pointer``) is now guarded with explicit ``NULL`` checks. diff --git a/Parser/lexer/buffer.c b/Parser/lexer/buffer.c index 63aa1ea2ad4f60..e122fd0d9878ea 100644 --- a/Parser/lexer/buffer.c +++ b/Parser/lexer/buffer.c @@ -13,8 +13,8 @@ _PyLexer_remember_fstring_buffers(struct tok_state *tok) for (index = tok->tok_mode_stack_index; index >= 0; --index) { mode = &(tok->tok_mode_stack[index]); - mode->start_offset = mode->start - tok->buf; - mode->multi_line_start_offset = mode->multi_line_start - tok->buf; + mode->start_offset = mode->start == NULL ? -1 : mode->start - tok->buf; + mode->multi_line_start_offset = mode->multi_line_start == NULL ? -1 : mode->multi_line_start - tok->buf; } } @@ -27,8 +27,8 @@ _PyLexer_restore_fstring_buffers(struct tok_state *tok) for (index = tok->tok_mode_stack_index; index >= 0; --index) { mode = &(tok->tok_mode_stack[index]); - mode->start = tok->buf + mode->start_offset; - mode->multi_line_start = tok->buf + mode->multi_line_start_offset; + mode->start = mode->start_offset < 0 ? NULL : tok->buf + mode->start_offset; + mode->multi_line_start = mode->multi_line_start_offset < 0 ? NULL : tok->buf + mode->multi_line_start_offset; } } From 50c479e613beccf38b6ac2e5fe4e03dab8bbcb28 Mon Sep 17 00:00:00 2001 From: Kumar Aditya Date: Sun, 15 Feb 2026 20:21:54 +0530 Subject: [PATCH 2/4] add whatsnew entry for `PyUnstable_SetImmortal` and `PyDatetime_IMPORT` (#144830) --- Doc/c-api/datetime.rst | 9 +++++++++ Doc/whatsnew/3.15.rst | 5 +++++ 2 files changed, 14 insertions(+) diff --git a/Doc/c-api/datetime.rst b/Doc/c-api/datetime.rst index 127d7c9c91a3d5..d7b4e116c49e35 100644 --- a/Doc/c-api/datetime.rst +++ b/Doc/c-api/datetime.rst @@ -30,6 +30,10 @@ macros. This is not compatible with subinterpreters. + .. versionchanged:: 3.15 + + This macro is now thread safe. + .. c:type:: PyDateTime_CAPI Structure containing the fields for the datetime C API. @@ -44,6 +48,11 @@ macros. This variable is only available once :c:macro:`PyDateTime_IMPORT` succeeds. + .. versionchanged:: 3.15 + + This variable should not be accessed directly as direct access is not thread-safe. + Use :c:func:`PyDateTime_IMPORT` instead. + .. c:type:: PyDateTime_Date This subtype of :c:type:`PyObject` represents a Python date object. diff --git a/Doc/whatsnew/3.15.rst b/Doc/whatsnew/3.15.rst index 0e440ccfd011f0..cd80947924684d 100644 --- a/Doc/whatsnew/3.15.rst +++ b/Doc/whatsnew/3.15.rst @@ -1563,6 +1563,8 @@ New features thread state. (Contributed by Victor Stinner in :gh:`139653`.) +* Add :c:func:`PyUnstable_SetImmortal` C-API function to mark objects as :term:`immortal`. + (Contributed by Kumar Aditya in :gh:`143300`.) Changed C APIs -------------- @@ -1571,6 +1573,9 @@ Changed C APIs flag is set then :c:macro:`Py_TPFLAGS_HAVE_GC` must be set too. (Contributed by Sergey Miryanov in :gh:`134786`.) +* :c:macro:`PyDateTime_IMPORT` is now thread safe. Code that directly checks ``PyDateTimeAPI`` + for ``NULL`` should be updated to call :c:macro:`PyDateTime_IMPORT` instead. + (Contributed by Kumar Aditya in :gh:`141563`.) Porting to Python 3.15 ---------------------- From 5a6615ff9281b4f5204d18159e19cd6e92b0fb9a Mon Sep 17 00:00:00 2001 From: Pablo Galindo Salgado Date: Sun, 15 Feb 2026 16:07:03 +0000 Subject: [PATCH 3/4] gh-142349: Add CODEOWNERS for lazy imports (#144840) --- .github/CODEOWNERS | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 6b6074be0a5728..a12fae18d51c21 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -292,6 +292,12 @@ Python/jit.c @brandtbucher @savannahostrowski @diegorusso Tools/jit/ @brandtbucher @savannahostrowski @diegorusso InternalDocs/jit.md @brandtbucher @savannahostrowski @diegorusso @AA-Turner +# Lazy imports (PEP 810) +Objects/lazyimportobject.c @twouters @DinoV @pablogsal +Include/internal/pycore_lazyimportobject.h @twouters @DinoV @pablogsal +Lib/test/test_import/test_lazy_imports.py @twouters @DinoV @pablogsal +Lib/test/test_import/data/lazy_imports/ @twouters @DinoV @pablogsal + # Micro-op / μop / Tier 2 Optimiser Python/optimizer.c @markshannon @Fidget-Spinner Python/optimizer_analysis.c @markshannon @tomasr8 @Fidget-Spinner @savannahostrowski From 23c488d6197191d355be6733699a295c20806932 Mon Sep 17 00:00:00 2001 From: Pablo Galindo Salgado Date: Sun, 15 Feb 2026 16:11:16 +0000 Subject: [PATCH 4/4] Format CODEOWNERS file (#144842) --- .github/CODEOWNERS | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index a12fae18d51c21..32b883213685b2 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -293,10 +293,10 @@ Tools/jit/ @brandtbucher @savannahostrowski @diegorusso InternalDocs/jit.md @brandtbucher @savannahostrowski @diegorusso @AA-Turner # Lazy imports (PEP 810) -Objects/lazyimportobject.c @twouters @DinoV @pablogsal -Include/internal/pycore_lazyimportobject.h @twouters @DinoV @pablogsal -Lib/test/test_import/test_lazy_imports.py @twouters @DinoV @pablogsal -Lib/test/test_import/data/lazy_imports/ @twouters @DinoV @pablogsal +Objects/lazyimportobject.c @twouters @DinoV @pablogsal +Include/internal/pycore_lazyimportobject.h @twouters @DinoV @pablogsal +Lib/test/test_import/test_lazy_imports.py @twouters @DinoV @pablogsal +Lib/test/test_import/data/lazy_imports/ @twouters @DinoV @pablogsal # Micro-op / μop / Tier 2 Optimiser Python/optimizer.c @markshannon @Fidget-Spinner