Skip to content

Opt into FromPyObject derive for Clone pyclasses under PyO3 0.29#90

Merged
shsms merged 1 commit into
frequenz-floss:v0.x.xfrom
shsms:fix/pyo3-oob-read-nth
Jun 22, 2026
Merged

Opt into FromPyObject derive for Clone pyclasses under PyO3 0.29#90
shsms merged 1 commit into
frequenz-floss:v0.x.xfrom
shsms:fix/pyo3-oob-read-nth

Conversation

@shsms

@shsms shsms commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

PyO3 0.29 (bumped in #89) deprecated the automatic FromPyObject derive for
#[pyclass] types that implement Clone, which cargo clippy -D warnings
now rejects.

Changes

  • Opt back into the derive on ComponentGraphConfig and FormulaOverrides
    with #[pyclass(..., from_py_object)] — both are extracted from Python by
    value, so the derive must remain. No behavior change.
  • Note the 0.29 upgrade (which also carries the GHSA-36hh-v3qg-5jq4
    out-of-bounds read fix) under Upgrading in the release notes.

@shsms
Opt into FromPyObject derive for Clone pyclasses under PyO3 0.29
126e80f 
The pyo3 0.29 bump (frequenz-floss#89) updated the dependency but didn't address 0.29's
deprecation of the *automatic* `FromPyObject` derive for `#[pyclass]` types
that implement `Clone`, which `cargo clippy -D warnings` rejects.
`ComponentGraphConfig` and `FormulaOverrides` are both extracted from Python
by value (`config.extract::<ComponentGraphConfig>()` and the by-value
`Option<FormulaOverrides>` argument), so opt back in explicitly with
`#[pyclass(from_py_object)]` to preserve the previous behavior.

The 0.29 bump itself also pulled in the fix for the out-of-bounds read in
list/tuple iterator `nth`/`nth_back` (GHSA-36hh-v3qg-5jq4); note it under
Upgrading.

Signed-off-by: Sahas Subramanian <sahas.subramanian@proton.me>
@shsms shsms requested a review from a team as a code owner June 19, 2026 08:52
@shsms shsms requested review from florian-wagner-frequenz and removed request for a team June 19, 2026 08:52
@github-actions github-actions Bot added part:docs Affects the documentation part:tooling Affects the development tooling (CI, deployment, dependency management, etc.) labels Jun 19, 2026
@shsms shsms force-pushed the fix/pyo3-oob-read-nth branch from 46d1d9b to 0b61315 Compare June 19, 2026 08:58
@shsms shsms changed the title Bump PyO3 to 0.29 to fix out-of-bounds read advisory Opt into FromPyObject derive for Clone pyclasses under PyO3 0.29 Jun 19, 2026
@shsms shsms force-pushed the fix/pyo3-oob-read-nth branch from 0b61315 to 126e80f Compare June 19, 2026 09:01
@shsms shsms added this pull request to the merge queue Jun 22, 2026
Merged via the queue into frequenz-floss:v0.x.x with commit 8bf4710 Jun 22, 2026
9 checks passed
@shsms shsms deleted the fix/pyo3-oob-read-nth branch June 22, 2026 19:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@llucax llucax llucax approved these changes

@florian-wagner-frequenz florian-wagner-frequenz Awaiting requested review from florian-wagner-frequenz florian-wagner-frequenz is a code owner automatically assigned from frequenz-floss/python-sdk-team

Assignees

No one assigned

Labels

part:docs Affects the documentation part:tooling Affects the development tooling (CI, deployment, dependency management, etc.)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shsms @llucax