When the set is not empty and set.update() argument is set that is modified during merging, the crash is caused. Here is a test that reproduces a crash. Only Python 3.5+ is affected.

LGTM for 3.5.

But 3.6 has other bug. Changeset 637e197be547 looks incorrect to me. key should be increfed before calling PyObject_RichCompareBool() for the same reason as startkey.

Can you produce a test case?

Perhaps the incref/decref pair ought to be moved into PyObject_RichCompareBool(). It doesn't make much sense for the callers to do the work.

The same test is crashed in 3.6 even with index_to_entry.diff.

./python -m test.regrtest -F -m test_merge_and_mutate test_set

Perhaps the incref/decref pair ought to be moved into PyObject_RichCompareBool().

This wouldn't help because key can be used after PyObject_RichCompareBool().

intermediary.diff LGTM.

New changeset 5c3812412b6f by Raymond Hettinger in branch '3.5':
Issue bpo-24583: Fix crash when set is mutated while being updated.
https://hg.python.org/cpython/rev/5c3812412b6f

New changeset 05cb67dab161 by Raymond Hettinger in branch 'default':
Issue bpo-24583: Fix crash when set is mutated while being updated.
https://hg.python.org/cpython/rev/05cb67dab161

5c3812412b6f caused a refleak.

$ ./python -m test.regrtest -uall -R 3:3 test_set
[1/1] test_set
beginning 6 repetitions
123456
......
test_set leaked [23561, 24961, 23961] references, sum=72483
test_set leaked [785, 787, 787] memory blocks, sum=2359
1 test failed:
    test_set

Proposed patch fixes this.

3.6 only. Correct?

New changeset acb5b177dd4e by Raymond Hettinger in branch 'default':
Issue bpo-24583: Fix refcount leak.
https://hg.python.org/cpython/rev/acb5b177dd4e

AFAIK 3.5+ (not tested).

Added a patch to neaten it up a bit by naming the exit conditions and avoiding the unnecessary extra incref/decref pair around the resize call.

Added a variant patch that brings the steps together in a more logical manner (single entry point at the top and the named exits at the bottom, brings refcount adjustment logic together in a more coherent way). The "restart" target is done the same way as the "top" target in dictobject.c. Added a comment explaining why the pre-increment is necessary.

Both variants LGTM. But set_self_contained.diff seems better.

I suppose this is 3.6 only.

New changeset 3f2c12c0abdb by Raymond Hettinger in branch 'default':
Issue bpo-24583: Consolidate previous set object updates into a single function
https://hg.python.org/cpython/rev/3f2c12c0abdb