Following script crashes all versions of Python. Cause is the "Py_DECREF(et->ht_name)" in type_set_name().

class Nasty(str):
    def __del__(self):
        C.__name__ = "other"
class C(object):
    pass
C.__name__ = Nasty("abc")
C.__name__ = "normal"

It looks like the bug is the pattern "Py_DECREF(obj->attr); obj->attr = new_value;". Replacing it with "{ PyObject *tmp = obj->attr; obj->attr = new_value; Py_DECREF(tmp); }" does fix this specific issue.

We can use the coccinelle tool to replace all such patterns in the whole CPython code base using attached py_decref_replace.spatch "semantic patch". See also issue bpo-16445, I proposed a similar idea (and another semantic patch).

Attached python27_decref_replace.patch patch is the result of the command "spatch -in_place -sp_file py_decref_replace.spatch -dir .".

The patch is quite huge, I didn't read it yet :-)

Mac/Modules/carbonevt/_CarbonEvtmodule.c | 7 +++++--
Mac/Modules/list/_Listmodule.c | 7 +++++--
Modules/_bsddb.c | 42 ++++++++++++++++++++++++++++++------------
Modules/_csv.c | 7 +++++--
Modules/_ctypes/_ctypes.c | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------------------
Modules/_curses_panel.c | 7 +++++--
Modules/_elementtree.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---------------------
Modules/_json.c | 7 +++++--
Modules/_sqlite/connection.c | 28 ++++++++++++++++++++--------
Modules/_sqlite/cursor.c | 42 ++++++++++++++++++++++++++++++------------
Modules/bz2module.c | 9 +++++----
Modules/cPickle.c | 36 +++++++++++++++++++++++++++---------
Modules/flmodule.c | 28 ++++++++++++++++++++--------
Modules/itertoolsmodule.c | 7 +++++--
Modules/selectmodule.c | 7 +++++--
Modules/signalmodule.c | 7 +++++--
Modules/svmodule.c | 7 +++++--
Modules/zlibmodule.c | 23 +++++++++++++++--------
Objects/descrobject.c | 7 +++++--
Objects/exceptions.c | 21 +++++++++++++++------
Objects/fileobject.c | 14 ++++++++++----
Objects/funcobject.c | 7 +++++--
Objects/typeobject.c | 21 +++++++++++++++------
Python/ceval.c | 7 +++++--
Python/sysmodule.c | 7 +++++--
25 files changed, 382 insertions(+), 152 deletions(-)

We should maybe use a macro (ex: Py_DECREC_REPLACE) instead of copying the pattern "{ PyObject *tmp = obj->attr; obj->attr = new_value; Py_DECREF(tmp); }".

Yes, the macro appropriate here.

In Modules/zlibmodule.c this patterns should be fixed by patch for bpo-16350.

• For the replacement with NULL, Py_CLEAR() should be used instead.

• We should use a macro (Py_REF_ASSIGN?) for the replacement case.

• Careful, in Modules/_json.c the code is wrong because tmp is already used::

        PyObject *tmp = PyUnicode_AsEncodedString(...);
        {
            PyObject *tmp = s->encoding;
            s->encoding = tmp;
            Py_DECREF(tmp);
        }

Yes, we should add a "Py_REPLACE()" macro. Sure. +1 to that.

With this issue in mind, I wonder if there is any situation where "Py_DECREF/Py_XDECREF" must be used that can not be replace with "Py_CLEAR/Py_REPLACE".

Is there any code that breaks if we replace "Py_XDECREF()" by "Py_CLEAR()"?. Could be possible even to replace Py_DECREF definition?.

Patch for the immediate issue, for Python 2.7. The Py_DECREF is delayed until after setting *both* ht_name and tp_name.

And the corresponding patch against 3.2 (applies cleanly to 3.3 and default, modulo Misc/NEWS fixes).

New changeset d5e5017309b1 by Mark Dickinson in branch '2.7':
Issue bpo-16447: Fix potential segfault when setting __name__ on a class.
http://hg.python.org/cpython/rev/d5e5017309b1

New changeset e6d1328412c8 by Mark Dickinson in branch '3.3':
Issue bpo-16447: Fix potential segfault when setting __name__ on a class.
http://hg.python.org/cpython/rev/e6d1328412c8

New changeset c8d771f10022 by Mark Dickinson in branch 'default':
Issue bpo-16447: Merge fix from 3.3.
http://hg.python.org/cpython/rev/c8d771f10022

Fixed.