The script below segfaults cpython2.7. 
The cause is in BaseException_set_message(), which calls Py_XDECREF(self->message) and thus can call back into Python code with a dangling PyObject* pointer. Py_CLEAR should be used instead.


class Nasty(str):
    def __del__(self):
        del e.message

e = ValueError(Nasty("msg"))
e.args = ()
del e.message
del e

According to Amaury an IRC, replacing "Py_XDECREF(obj->attr); obj->attr = NULL;" pattern with "Py_CLEAR(obj->attr);" should fix the issue.

Instead of opening one issue per occurence of this pattern, it is possible to write a semantic patch to do the replace on the whole CPython project using the Coccinelle tool.
http://coccinelle.lip6.fr/

See for example attached py_clear.spatch semantic patch. Install coccinelle and run "spatch -in_place -sp_file py_clear.spatch -dir .". The result is the attached patch (python2.7_pyclear.patch). The patch is huge!

 Mac/Modules/_scproxy.c                   |    2 +-
 Mac/Modules/carbonevt/_CarbonEvtmodule.c |    3 +-
 Mac/Modules/list/_Listmodule.c           |    3 +-
 Modules/_bsddb.c                         |   48 ++++---------
 Modules/_ctypes/_ctypes.c                |   18 +---
 Modules/_elementtree.c                   |    8 +-
 Modules/_hotshot.c                       |    3 +-
 Modules/_localemodule.c                  |    3 +-
 Modules/_sqlite/connection.c             |    6 +-
 Modules/_sqlite/cursor.c                 |   12 +--
 Modules/_tkinter.c                       |    6 +-
 Modules/almodule.c                       |    3 +-
 Modules/binascii.c                       |   21 ++----
 Modules/bz2module.c                      |   12 +--
 Modules/cPickle.c                        |    3 +-
 Modules/cdmodule.c                       |   18 +---
 Modules/cjkcodecs/multibytecodec.c       |    3 +-
 Modules/datetimemodule.c                 |   12 +--
 Modules/flmodule.c                       |   12 +--
 Modules/fmmodule.c                       |    3 +-
 Modules/nismodule.c                      |    3 +-
 Modules/posixmodule.c                    |   33 +++------
 Modules/pyexpat.c                        |    6 +-
 Modules/readline.c                       |    7 +-
 Modules/selectmodule.c                   |    3 +-
 Modules/signalmodule.c                   |    9 +-
 Modules/svmodule.c                       |    3 +-
 Modules/syslogmodule.c                   |    3 +-
 Modules/zlibmodule.c                     |   18 +---
 Objects/abstract.c                       |    6 +-
 Objects/classobject.c                    |   18 +---
 Objects/descrobject.c                    |    3 +-
 Objects/exceptions.c                     |    3 +-
 Objects/fileobject.c                     |   12 +--
 Objects/frameobject.c                    |    3 +-
 Objects/genobject.c                      |    3 +-
 Objects/longobject.c                     |    3 +-
 Objects/object.c                         |    6 +-
 Objects/stringobject.c                   |   12 +--
 Objects/tupleobject.c                    |    6 +-
 Objects/typeobject.c                     |   12 +--
 Objects/unicodeobject.c                  |   12 +--
 Python/Python-ast.c                      |  381 ++++++++++++++++++++++++++++++++++++++----------------------------------------------------------------------------
 Python/bltinmodule.c                     |   12 +--
 Python/errors.c                          |    3 +-
 Python/import.c                          |    6 +-
 Python/marshal.c                         |   12 +--
 Python/modsupport.c                      |    3 +-
 Python/structmember.c                    |    3 +-
 Python/sysmodule.c                       |    9 +-
 RISCOS/Modules/drawfmodule.c             |    2 +-
 RISCOS/Modules/swimodule.c               |    2 +-
 52 files changed, 275 insertions(+), 541 deletions(-)

The "spatch" doesn't match the following macro:

Modules/_testcapimodule.c:#define UNBIND(X)  Py_DECREF(X); (X) = NULL

--


Python/Python-ast.c is autogenerated from Parser/asdl_c.py, the .py file should be fixed instead.

python27_pyclear.patch does fix the use case described in msg175203, but it doesn't fix #16447.

py_clear.spatch	replaces:
  Py_DECREF(obj->attr); obj->attr = NULL;
but also:
  Py_DECREF(obj); obj = NULL;

If the second pattern is not dangerous, py_clear.spatch can be modified to only match the first pattern: see py_decref_replace.spatch of issue #16447 for an example.

The Coccinelle looks as an amazing tool!

I propose split a patch on several patches (autogenerated code, attributes clearing, other pointer expressions (as *exceptionObject or unicode_latin1[i]) clearing, and local pointers clearing at the end) and commit they separately.

Victor, I will be glad to review any related patches, but please split the patch on several patches, from most undoubted to more sophisticated patterns.

Can I suggest fixing this particular issue with a dedicated patch, and opening another issue to consider the large automated replacements that Victor's proposing?

Here's a simple patch (against 2.7) for this particular issue.

> Here's a simple patch (against 2.7) for this particular issue.

LGTM.

New changeset 0e41c4466d58 by Mark Dickinson in branch '2.7':
Issue #16445: Fix potential segmentation fault when deleting an exception message.
http://hg.python.org/cpython/rev/0e41c4466d58

It looks as if this issue can be closed as a fix has been committed.  However a new issue will be needed if the advice offered in msg181839 is followed.

This looks like it is fixed by Mark's commit. Other proposals should go into separate issues.