Fix crashes during interpreter shutdown on all Python versions (3.2.6)

Backport of PR #499 (master) to maint/3.2 for greenlet 3.2.6, with all
shutdown guards made unconditional across Python 3.9-3.13.

The previous backport (3.2.5 / PR #495) only guarded Python < 3.11,
but the vulnerability exists on ALL Python versions: Py_IsFinalizing()
is set AFTER atexit handlers complete inside Py_FinalizeEx.

Two independent guards now protect all shutdown phases:

1. g_greenlet_shutting_down — atexit handler registered at module init
   (LIFO = runs first). Covers the atexit phase where
   Py_IsFinalizing() is still False.

2. Py_IsFinalizing() — covers the GC collection and later phases.
   A compatibility shim maps to _Py_IsFinalizing() on Python < 3.13.

These guards are checked in mod_getcurrent, PyGreenlet_GetCurrent,
GreenletChecker, MainGreenletExactChecker, ContextExactChecker,
clear_deleteme_list, ThreadState destructor,
_green_dealloc_kill_started_non_main_greenlet, and AddPendingCall.

Additional hardening:
- clear_deleteme_list() uses std::swap (zero-allocation)
- deleteme vector uses std::allocator (system malloc)
- ThreadState uses std::malloc/std::free
- clear_deleteme_list() preserves pending Python exceptions

TDD-certified: tests fail on greenlet 3.3.2 and pass with the fix
across Python 3.10-3.14. Docker verification on Python 3.9 and 3.10
confirms GUARDED on the maint/3.2 branch.

Also fixes:
- SPDX license identifier: Python-2.0 -> PSF-2.0
- test_dealloc_catches_GreenletExit_throws_other: use
  sys.unraisablehook for pytest compatibility
- test_version: skip gracefully on old setuptools
- Flaky USS memory test on Windows

Made-with: Cursor

Author: nbouvrette

CHANGES.rst

@@ -5,7 +5,54 @@
 3.2.6 (unreleased)
 ==================
 
-- Nothing changed yet.
+- Fix multiple crash paths during interpreter shutdown on **all Python
+  versions** (observed with uWSGI worker recycling on ARM64 and x86_64).
+  Two independent guards now protect all shutdown phases:
+
+  1. ``g_greenlet_shutting_down`` — an atexit handler registered at
+     module init (LIFO = runs first) sets this flag.  Covers the atexit
+     phase of ``Py_FinalizeEx``, where ``Py_IsFinalizing()`` is still
+     ``False`` on all Python versions.
+
+  2. ``Py_IsFinalizing()`` — covers the GC collection and later phases
+     of ``Py_FinalizeEx``, where ``__del__`` methods and C++ destructors
+     run.  A compatibility shim is provided for Python < 3.13 (where
+     only the private ``_Py_IsFinalizing()`` existed).
+
+  These guards are checked in ``mod_getcurrent``,
+  ``PyGreenlet_GetCurrent``, ``GreenletChecker``,
+  ``MainGreenletExactChecker``, ``ContextExactChecker``,
+  ``clear_deleteme_list()``, ``ThreadState::~ThreadState()``,
+  ``_green_dealloc_kill_started_non_main_greenlet``, and
+  ``ThreadState_DestroyNoGIL::AddPendingCall``.
+
+  Additional hardening:
+
+  - ``clear_deleteme_list()`` uses ``std::swap`` (zero-allocation)
+    instead of copying the ``PythonAllocator``-backed vector.
+  - The ``deleteme`` vector uses ``std::allocator`` (system ``malloc``)
+    instead of ``PyMem_Malloc``.
+  - ``ThreadState`` uses ``std::malloc`` / ``std::free`` instead of
+    ``PyObject_Malloc``.
+  - ``clear_deleteme_list()`` preserves any pending Python exception
+    around its cleanup loop.
+
+  Verified via TDD: tests fail on greenlet 3.3.2 (UNGUARDED) and pass
+  with the fix (GUARDED) across Python 3.10–3.14.
+
+  This is distinct from the dealloc crash fixed in 3.2.5
+  (`PR #495
+  <https://github.com/python-greenlet/greenlet/pull/495>`_).
+  Backported from `PR #499
+  <https://github.com/python-greenlet/greenlet/pull/499>`_ by Nicolas
+  Bouvrette.
+
+- Fix ``test_dealloc_catches_GreenletExit_throws_other`` to use
+  ``sys.unraisablehook`` instead of stderr capture, making it work
+  with both pytest and unittest runners.
+
+- Fix ``test_version`` to skip gracefully when the local setuptools
+  version does not support PEP 639 SPDX license format.
 
 
 3.2.5 (2026-02-20)

setup.py

@@ -225,7 +225,7 @@ def get_greenlet_version():
         'Documentation': 'https://greenlet.readthedocs.io/',
         'Changes': 'https://greenlet.readthedocs.io/en/latest/changes.html',
     },
-    license="MIT AND Python-2.0",
+    license="MIT AND PSF-2.0",
     license_files=[
         'LICENSE',
         'LICENSE.PSF',

src/greenlet/CObjects.cpp

@@ -29,6 +29,9 @@ extern "C" {
 static PyGreenlet*
 PyGreenlet_GetCurrent(void)
 {
+    if (g_greenlet_shutting_down || Py_IsFinalizing()) {
+        return nullptr;
+    }
     return GET_THREAD_STATE().state().get_current().relinquish_ownership();
 }
 

src/greenlet/PyGreenlet.cpp

@@ -203,12 +203,10 @@ _green_dealloc_kill_started_non_main_greenlet(BorrowedGreenlet self)
     //
     // See: https://github.com/python-greenlet/greenlet/issues/411
     //      https://github.com/python-greenlet/greenlet/issues/351
-#if !GREENLET_PY311
-    if (_Py_IsFinalizing()) {
+    if (g_greenlet_shutting_down || Py_IsFinalizing()) {
         self->murder_in_place();
         return 1;
     }
-#endif
 
     /* Hacks hacks hacks copied from instance_dealloc() */
     /* Temporarily resurrect the greenlet. */

src/greenlet/PyModule.cpp

@@ -17,6 +17,28 @@ using greenlet::ThreadState;
 #    pragma clang diagnostic ignored "-Wunused-variable"
 #endif
 
+// _Py_IsFinalizing() is only set AFTER atexit handlers complete
+// inside Py_FinalizeEx on ALL Python versions (including 3.11+).
+// Code running in atexit handlers (e.g. uWSGI plugin cleanup
+// calling Py_FinalizeEx, New Relic agent shutdown) can still call
+// greenlet.getcurrent(), but by that time type objects or
+// internal state may have been invalidated.  This flag is set by
+// an atexit handler registered at module init (LIFO = runs first).
+int g_greenlet_shutting_down = 0;
+
+static PyObject*
+_greenlet_atexit_callback(PyObject* UNUSED(self), PyObject* UNUSED(args))
+{
+    g_greenlet_shutting_down = 1;
+    Py_RETURN_NONE;
+}
+
+static PyMethodDef _greenlet_atexit_method = {
+    "_greenlet_cleanup", _greenlet_atexit_callback,
+    METH_NOARGS, NULL
+};
+
+
 PyDoc_STRVAR(mod_getcurrent_doc,
              "getcurrent() -> greenlet\n"
              "\n"
@@ -26,6 +48,9 @@ PyDoc_STRVAR(mod_getcurrent_doc,
 static PyObject*
 mod_getcurrent(PyObject* UNUSED(module))
 {
+    if (g_greenlet_shutting_down || Py_IsFinalizing()) {
+        Py_RETURN_NONE;
+    }
     return GET_THREAD_STATE().state().get_current().relinquish_ownership_o();
 }
 

src/greenlet/TThreadState.hpp

@@ -1,6 +1,7 @@
 #ifndef GREENLET_THREAD_STATE_HPP
 #define GREENLET_THREAD_STATE_HPP
 
+#include <cstdlib>
 #include <ctime>
 #include <stdexcept>
 
@@ -22,6 +23,14 @@ using greenlet::refs::CreatedModule;
 using greenlet::refs::PyErrPieces;
 using greenlet::refs::NewReference;
 
+// Defined in PyModule.cpp; set by an atexit handler to signal
+// that the interpreter is shutting down.  Needed on ALL Python
+// versions because _Py_IsFinalizing() is only set AFTER atexit
+// handlers complete inside Py_FinalizeEx.  Code running in
+// atexit handlers (e.g. uWSGI plugin cleanup) needs this early
+// flag to avoid accessing partially-torn-down greenlet state.
+extern int g_greenlet_shutting_down;
+
 namespace greenlet {
 /**
  * Thread-local state of greenlets.
@@ -104,7 +113,13 @@ class ThreadState {
     /* Strong reference to the trace function, if any. */
     OwnedObject tracefunc;
 
-    typedef std::vector<PyGreenlet*, PythonAllocator<PyGreenlet*> > deleteme_t;
+    // Use std::allocator (malloc/free) instead of PythonAllocator
+    // (PyMem_Malloc) for the deleteme list.  During Py_FinalizeEx on
+    // Python < 3.11, the PyObject_Malloc pool that holds ThreadState
+    // can be disrupted, corrupting any PythonAllocator-backed
+    // containers.  Using std::allocator makes this vector independent
+    // of Python's allocator lifecycle.
+    typedef std::vector<PyGreenlet*> deleteme_t;
     /* A vector of raw PyGreenlet pointers representing things that need
        deleted when this thread is running. The vector owns the
        references, but you need to manually INCREF/DECREF as you use
@@ -120,7 +135,6 @@ class ThreadState {
 
     static std::clock_t _clocks_used_doing_gc;
     static ImmortalString get_referrers_name;
-    static PythonAllocator<ThreadState> allocator;
 
     G_NO_COPIES_OF_CLS(ThreadState);
 
@@ -146,15 +160,21 @@ class ThreadState {
 
 
 public:
-    static void* operator new(size_t UNUSED(count))
+    // Allocate ThreadState with malloc/free rather than Python's object
+    // allocator.  ThreadState outlives many Python objects and must
+    // remain valid throughout Py_FinalizeEx.  On Python < 3.11,
+    // PyObject_Malloc pools can be disrupted during early finalization,
+    // corrupting any C++ objects stored in them.
+    static void* operator new(size_t count)
     {
-        return ThreadState::allocator.allocate(1);
+        void* p = std::malloc(count);
+        if (!p) throw std::bad_alloc();
+        return p;
     }
 
     static void operator delete(void* ptr)
     {
-        return ThreadState::allocator.deallocate(static_cast<ThreadState*>(ptr),
-                                                 1);
+        std::free(ptr);
     }
 
     static void init()
@@ -283,33 +303,43 @@ class ThreadState {
     inline void clear_deleteme_list(const bool murder=false)
     {
         if (!this->deleteme.empty()) {
-            // It's possible we could add items to this list while
-            // running Python code if there's a thread switch, so we
-            // need to defensively copy it before that can happen.
-            deleteme_t copy = this->deleteme;
-            this->deleteme.clear(); // in case things come back on the list
+            // Move the list contents out with swap — a constant-time
+            // pointer exchange that never allocates.  The previous code
+            // used a copy (deleteme_t copy = this->deleteme) which
+            // allocated through PythonAllocator / PyMem_Malloc; that
+            // could SIGSEGV during early Py_FinalizeEx on Python < 3.11
+            // when the allocator is partially torn down.
+            deleteme_t copy;
+            std::swap(copy, this->deleteme);
+
+            // During Py_FinalizeEx cleanup, the GC or atexit handlers
+            // may have already collected objects in this list, leaving
+            // dangling pointers.  Attempting Py_DECREF on freed memory
+            // causes a SIGSEGV.  g_greenlet_shutting_down covers the
+            // early atexit phase; Py_IsFinalizing() covers later phases.
+            if (g_greenlet_shutting_down || Py_IsFinalizing()) {
+                return;
+            }
+
+            // Preserve any pending exception so that cleanup-triggered
+            // errors don't accidentally swallow an unrelated exception
+            // (e.g. one set by throw() before a switch).
+            PyErrPieces incoming_err;
+
             for(deleteme_t::iterator it = copy.begin(), end = copy.end();
                 it != end;
                 ++it ) {
                 PyGreenlet* to_del = *it;
                 if (murder) {
-                    // Force each greenlet to appear dead; we can't raise an
-                    // exception into it anymore anyway.
                     to_del->pimpl->murder_in_place();
                 }
-
-                // The only reference to these greenlets should be in
-                // this list, decreffing them should let them be
-                // deleted again, triggering calls to green_dealloc()
-                // in the correct thread (if we're not murdering).
-                // This may run arbitrary Python code and switch
-                // threads or greenlets!
                 Py_DECREF(to_del);
                 if (PyErr_Occurred()) {
                     PyErr_WriteUnraisable(nullptr);
                     PyErr_Clear();
                 }
             }
+            incoming_err.PyErrRestore();
         }
     }
 
@@ -370,8 +400,7 @@ class ThreadState {
         //
         // Python 3.11+ restructured interpreter finalization so that
         // these APIs remain safe during shutdown.
-#if !GREENLET_PY311
-        if (_Py_IsFinalizing()) {
+        if (g_greenlet_shutting_down || Py_IsFinalizing()) {
             this->tracefunc.CLEAR();
             if (this->current_greenlet) {
                 this->current_greenlet->murder_in_place();
@@ -380,7 +409,6 @@ class ThreadState {
             this->main_greenlet.CLEAR();
             return;
         }
-#endif
 
         // We should not have an "origin" greenlet; that only exists
         // for the temporary time during a switch, which should not
@@ -505,7 +533,6 @@ class ThreadState {
 };
 
 ImmortalString ThreadState::get_referrers_name(nullptr);
-PythonAllocator<ThreadState> ThreadState::allocator;
 std::clock_t ThreadState::_clocks_used_doing_gc(0);
 
 

src/greenlet/TThreadStateDestroy.cpp

@@ -177,11 +177,7 @@ struct ThreadState_DestroyNoGIL
         // segfault if we happen to get context switched, and maybe we should
         // just always implement our own AddPendingCall, but I'd like to see if
         // this works first
-#if GREENLET_PY313
-        if (Py_IsFinalizing()) {
-#else
-        if (_Py_IsFinalizing()) {
-#endif
+        if (g_greenlet_shutting_down || Py_IsFinalizing()) {
 #ifdef GREENLET_DEBUG
             // No need to log in the general case. Yes, we'll leak,
             // but we're shutting down so it should be ok.

src/greenlet/greenlet.cpp

@@ -232,6 +232,39 @@ greenlet_internal_mod_init() noexcept
         OwnedObject clocks_per_sec = OwnedObject::consuming(PyLong_FromSsize_t(CLOCKS_PER_SEC));
         m.PyAddObject("CLOCKS_PER_SEC", clocks_per_sec);
 
+        // Register an atexit handler that sets g_greenlet_shutting_down.
+        // Python's atexit is LIFO: registered last = called first.  By
+        // registering here (at import time, after most other libraries),
+        // our handler runs before their cleanup code, which may try to
+        // call greenlet.getcurrent() on objects whose type has been
+        // invalidated.  _Py_IsFinalizing() alone is insufficient on ALL
+        // Python versions because it is only set AFTER atexit handlers
+        // complete inside Py_FinalizeEx.
+        {
+            PyObject* atexit_mod = PyImport_ImportModule("atexit");
+            if (atexit_mod) {
+                PyObject* register_fn = PyObject_GetAttrString(atexit_mod, "register");
+                if (register_fn) {
+                    extern PyMethodDef _greenlet_atexit_method;
+                    PyObject* callback = PyCFunction_New(&_greenlet_atexit_method, NULL);
+                    if (callback) {
+                        PyObject* args = PyTuple_Pack(1, callback);
+                        if (args) {
+                            PyObject* result = PyObject_Call(register_fn, args, NULL);
+                            Py_XDECREF(result);
+                            Py_DECREF(args);
+                        }
+                        Py_DECREF(callback);
+                    }
+                    Py_DECREF(register_fn);
+                }
+                Py_DECREF(atexit_mod);
+            }
+            // Non-fatal: if atexit registration fails, we still have
+            // the _Py_IsFinalizing() fallback.
+            PyErr_Clear();
+        }
+
         /* also publish module-level data as attributes of the greentype. */
         // XXX: This is weird, and enables a strange pattern of
         // confusing the class greenlet with the module greenlet; with

src/greenlet/greenlet_cpython_compat.hpp

@@ -147,4 +147,12 @@ static inline void PyThreadState_LeaveTracing(PyThreadState *tstate)
 #  define Py_C_RECURSION_LIMIT C_RECURSION_LIMIT
 #endif
 
+// Py_IsFinalizing() became a public API in Python 3.13.
+// Map it to the private _Py_IsFinalizing() on older versions so all
+// call sites can use the standard name.  Remove this once greenlet
+// drops support for Python < 3.13.
+#if !GREENLET_PY313
+#  define Py_IsFinalizing() _Py_IsFinalizing()
+#endif
+
 #endif /* GREENLET_CPYTHON_COMPAT_H */

src/greenlet/greenlet_internal.hpp

@@ -46,6 +46,9 @@ greenlet::refs::MainGreenletExactChecker(void *p)
     if (!p) {
         return;
     }
+    if (g_greenlet_shutting_down || Py_IsFinalizing()) {
+        return;
+    }
     // We control the class of the main greenlet exactly.
     if (Py_TYPE(p) != &PyGreenlet_Type) {
         std::string err("MainGreenlet: Expected exactly a greenlet, not a ");