homepage

The script below segfaults cpython2.7. 
The cause is in BaseException_set_message(), which calls Py_XDECREF(self->message) and thus can call back into Python code with a dangling PyObject* pointer. Py_CLEAR should be used instead.
class Nasty(str):
 def __del__(self):
 del e.message
e = ValueError(Nasty("msg"))
e.args = ()
del e.message
del e

According to Amaury an IRC, replacing "Py_XDECREF(obj->attr); obj->attr = NULL;" pattern with "Py_CLEAR(obj->attr);" should fix the issue.
Instead of opening one issue per occurence of this pattern, it is possible to write a semantic patch to do the replace on the whole CPython project using the Coccinelle tool.
http://coccinelle.lip6.fr/
See for example attached py_clear.spatch semantic patch. Install coccinelle and run "spatch -in_place -sp_file py_clear.spatch -dir .". The result is the attached patch (python2.7_pyclear.patch). The patch is huge!
 Mac/Modules/_scproxy.c | 2 +-
 Mac/Modules/carbonevt/_CarbonEvtmodule.c | 3 +-
 Mac/Modules/list/_Listmodule.c | 3 +-
 Modules/_bsddb.c | 48 ++++---------
 Modules/_ctypes/_ctypes.c | 18 +---
 Modules/_elementtree.c | 8 +-
 Modules/_hotshot.c | 3 +-
 Modules/_localemodule.c | 3 +-
 Modules/_sqlite/connection.c | 6 +-
 Modules/_sqlite/cursor.c | 12 +--
 Modules/_tkinter.c | 6 +-
 Modules/almodule.c | 3 +-
 Modules/binascii.c | 21 ++----
 Modules/bz2module.c | 12 +--
 Modules/cPickle.c | 3 +-
 Modules/cdmodule.c | 18 +---
 Modules/cjkcodecs/multibytecodec.c | 3 +-
 Modules/datetimemodule.c | 12 +--
 Modules/flmodule.c | 12 +--
 Modules/fmmodule.c | 3 +-
 Modules/nismodule.c | 3 +-
 Modules/posixmodule.c | 33 +++------
 Modules/pyexpat.c | 6 +-
 Modules/readline.c | 7 +-
 Modules/selectmodule.c | 3 +-
 Modules/signalmodule.c | 9 +-
 Modules/svmodule.c | 3 +-
 Modules/syslogmodule.c | 3 +-
 Modules/zlibmodule.c | 18 +---
 Objects/abstract.c | 6 +-
 Objects/classobject.c | 18 +---
 Objects/descrobject.c | 3 +-
 Objects/exceptions.c | 3 +-
 Objects/fileobject.c | 12 +--
 Objects/frameobject.c | 3 +-
 Objects/genobject.c | 3 +-
 Objects/longobject.c | 3 +-
 Objects/object.c | 6 +-
 Objects/stringobject.c | 12 +--
 Objects/tupleobject.c | 6 +-
 Objects/typeobject.c | 12 +--
 Objects/unicodeobject.c | 12 +--
 Python/Python-ast.c | 381 ++++++++++++++++++++++++++++++++++++++----------------------------------------------------------------------------
 Python/bltinmodule.c | 12 +--
 Python/errors.c | 3 +-
 Python/import.c | 6 +-
 Python/marshal.c | 12 +--
 Python/modsupport.c | 3 +-
 Python/structmember.c | 3 +-
 Python/sysmodule.c | 9 +-
 RISCOS/Modules/drawfmodule.c | 2 +-
 RISCOS/Modules/swimodule.c | 2 +-
 52 files changed, 275 insertions(+), 541 deletions(-)

The "spatch" doesn't match the following macro:
Modules/_testcapimodule.c:#define UNBIND(X) Py_DECREF(X); (X) = NULL
--
Python/Python-ast.c is autogenerated from Parser/asdl_c.py, the .py file should be fixed instead.

python27_pyclear.patch does fix the use case described in msg175203, but it doesn't fix #16447.

py_clear.spatch	replaces:
 Py_DECREF(obj->attr); obj->attr = NULL;
but also:
 Py_DECREF(obj); obj = NULL;
If the second pattern is not dangerous, py_clear.spatch can be modified to only match the first pattern: see py_decref_replace.spatch of issue #16447 for an example.

The Coccinelle looks as an amazing tool!
I propose split a patch on several patches (autogenerated code, attributes clearing, other pointer expressions (as *exceptionObject or unicode_latin1[i]) clearing, and local pointers clearing at the end) and commit they separately.

Victor, I will be glad to review any related patches, but please split the patch on several patches, from most undoubted to more sophisticated patterns.

Can I suggest fixing this particular issue with a dedicated patch, and opening another issue to consider the large automated replacements that Victor's proposing?

Here's a simple patch (against 2.7) for this particular issue.

> Here's a simple patch (against 2.7) for this particular issue.
LGTM.

New changeset 0e41c4466d58 by Mark Dickinson in branch '2.7':
Issue #16445: Fix potential segmentation fault when deleting an exception message.
http://hg.python.org/cpython/rev/0e41c4466d58 

It looks as if this issue can be closed as a fix has been committed. However a new issue will be needed if the advice offered in msg181839 is followed.

This looks like it is fixed by Mark's commit. Other proposals should go into separate issues.