While code.__new__ is being audited, using marshal.loads to create a code object will trigger no events. Therefore, either marshal.load(s) event itself should be audited, or code.__new__ should be triggered when marshal type is TYPE_CODE.

Considering that importing from a pyc file also relys on unmarshalling code objects, and they have already been audited as import, I'm also wondering if auditing twice should be avoided for performance.

I like using the existing event for unmarshalling code objects, assuming we have all the arguments available.

I'm not sure whether it's worth auditing all marshal.load() calls (just as we don't audit all pickle.load() calls). But depending on the code paths we may not have a choice.

Auditing the .pyc import twice (or more) is basically unavoidable, but it's not terrible anyway. When no hooks are set, it's negligible impact, and when someone adds a hook they are in control of how much work it does. Providing both events means they can choose to only handle one and still get the coverage.

Marking this as easy (C), since the hardest part is just going to be finding the right place to add the PySys_Audit call.

Actually, a quick search of codeobject.c and a look at tkmk's PR makes it seem like the audit event should be being raised from inside PyCode_NewWithPosOnlyArgs anyway (which IIRC didn't exist when I first added the event, though it was probably there before it was merged).

In general, events should be raised after parameters have been validated, but before any work is done. And when all the other calls feed through a single function, just auditing that one function is enough.

Before this, we only audit code.__new__ and code.replace, as these methods allow constructing arbitrary code objects, and we don't audit code object coming from the normal way (like compile,exec,eval).
If the event is raised in PyCode_NewWithPosOnlyArgs, is it ok that the compiled code is also audited?

Ah, you're right. Thanks for double checking me :)

I'll merge the PR and do the backports. Thanks!

New changeset d160e0f by tkmikan in branch 'master':
bpo-41180: Audit code.__new__ when unmarshalling (GH-21271)
d160e0f

New changeset c1d9165 by Miss Islington (bot) in branch '3.8':
bpo-41180: Audit code.__new__ when unmarshalling (GH-21271)
c1d9165

New changeset 1c77654 by Miss Islington (bot) in branch '3.9':
bpo-41180: Audit code.__new__ when unmarshalling (GH-21271)
1c77654

I'm going to revert this and replace it with a marshal.loads (and dumps) event instead.

The performance impact on loading .pyc files is too great, as it triggers the hook for each function. Without severely modifying importlib we can't bypass the call that's accessible to Python code, and the important part to detect is marshal calls outside of regular imports.

And wanted to mention that Yunfan Zhan suggested adding these events originally and I chose to go the other way. So my bad, and let's get it right now!

New changeset 139de04 by Steve Dower in branch 'main':
bpo-41180: Replace marshal code.__new__ audit event with marshal.load[s] and marshal.dumps (GH-26961)
139de04

New changeset a5764d3 by Steve Dower in branch '3.10':
bpo-41180: Replace marshal code.__new__ audit event with marshal.load[s] and marshal.dumps (GH-26970)
a5764d3

New changeset 863e3d5 by Steve Dower in branch '3.9':
bpo-41180: Replace marshal code.__new__ audit event with marshal.load[s] and marshal.dumps (GH-26971)
863e3d5

New changeset 95919b0 by Steve Dower in branch 'main':
bpo-41180: Fixes documentation to specify correct event name and add versionchanged (GH-26972)
95919b0