The `replace` method of `code` allows setting e.g.
* co_filename to a subclass of str
* co_consts to an arbitrary tuple
and possibly more weird cases.

This makes code objects unmarshallable.

One way to create such a code object is to call `compileall.compile_file` with a str subclass as path. See the attached reproducers.

This hit pip, see: https://github.com/pypa/pip/pull/10358#issuecomment-914320728

How to fix this? I guess:

* co_filename should be converted to an actual str, or reject subclasses with an exception
* for co_consts, the [marshal docs] could be updated to add code objects to "containers". The [code docs] already say co_consts "is a tuple containing the literals"; if someone's putting in non-literals they're voiding the warranty.

And so on for all other fields of code objects.

[marshal docs]: https://docs.python.org/3/library/marshal.html
[code docs]: https://docs.python.org/3.9/reference/datamodel.html#index-55

See also bpo-42839