In function convert_integral_to_int() in file Objects/abstract.c integral double decrefed and dereferenced after decrefing if returned value of __int__() is not int. Python 3.3 only affected.

Here is a patch.

Nice catch!  And indeed, the following code generates a segfault on my machine:


    class B(object):
        def __int__(self):
            return 43.0

    class A(object):
        def __trunc__(self):
            return B()

    int(A())


The patch should probably include a regression test.

> And indeed, the following code generates a segfault on my machine:

I was going to give similar example and assign crash type to issue, but on my machine it does not generate a segfault.

> The patch should probably include a regression test.

Someone borrowed Guido's time machine and have already done this test (see NonIntegral in Lib/test/test_int.py).

That test doesn't look quite the same, though:  the return value of __trunc__ is an object that has __trunc__ rather than __int__.  And all the existing tests pass on my machine without issues.

Here's patch that adds a regression test.

Ah, it generates a segfault in debug mode.

LGTM.

New changeset 690287f8ea95 by Mark Dickinson in branch 'default':
Issue #16060: Fix a double DECREF in int() implementation.  Thanks Serhiy Storchaka.
http://hg.python.org/cpython/rev/690287f8ea95

Applied.  Thanks!

I'm not sure whether this is worthy of inclusion in Python 3.3.0;  on one hand, it's a segfault from core Python.  On the other, it doesn't look that easy to trigger by accident.

On balance, I'd say it's safe to wait for Python 3.3.1 for this.  Adding Georg to the nosy in case he disagrees.

Serhiy, I wonder how you found this :)

> Serhiy, I wonder how you found this :)

I just looked at the code for issue16036.

Applied: d23eb81bd482.

New changeset d23eb81bd482 by Mark Dickinson in branch 'default':
Issue #16060: Fix a double DECREF in int() implementation.  Thanks Serhiy Storchaka.
http://hg.python.org/cpython/rev/d23eb81bd482