From 40800198bd42ea0d56d0ea390138ecf1f7bab715 Mon Sep 17 00:00:00 2001
From: lipengyu <lipengyu@kylinos.cn>
Date: Thu, 28 May 2026 16:12:01 +0800
Subject: [PATCH] Fix _PyCode_New() failure cleanup for co_tlbc and
 replacement_locations

---
 Objects/codeobject.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/Objects/codeobject.c b/Objects/codeobject.c
index 4ede8de6e8adc5f..24e8964658f2ae5 100644
--- a/Objects/codeobject.c
+++ b/Objects/codeobject.c
@@ -744,6 +744,7 @@ _PyCode_New(struct _PyCodeConstructor *con)
     }
 
     if (init_code(co, con) < 0) {
+        Py_XDECREF(replacement_locations);
         Py_DECREF(co);
         return NULL;
     }
@@ -2451,13 +2452,15 @@ code_dealloc(PyObject *self)
 #ifdef Py_GIL_DISABLED
     // The first element always points to the mutable bytecode at the end of
     // the code object, which will be freed when the code object is freed.
-    for (Py_ssize_t i = 1; i < co->co_tlbc->size; i++) {
-        char *entry = co->co_tlbc->entries[i];
-        if (entry != NULL) {
-            PyMem_Free(entry);
+    if (co->co_tlbc != NULL) {
+        for (Py_ssize_t i = 1; i < co->co_tlbc->size; i++) {
+            char *entry = co->co_tlbc->entries[i];
+            if (entry != NULL) {
+                PyMem_Free(entry);
+            }
         }
+        PyMem_Free(co->co_tlbc);
     }
-    PyMem_Free(co->co_tlbc);
 #endif
     PyObject_Free(co);
 }