homepage

Following script crashes all versions of Python. Cause is the "Py_DECREF(et->ht_name)" in type_set_name().
class Nasty(str):
 def __del__(self):
 C.__name__ = "other"
class C(object):
 pass
C.__name__ = Nasty("abc")
C.__name__ = "normal"

It looks like the bug is the pattern "Py_DECREF(obj->attr); obj->attr = new_value;". Replacing it with "{ PyObject *tmp = obj->attr; obj->attr = new_value; Py_DECREF(tmp); }" does fix this specific issue.
We can use the coccinelle tool to replace all such patterns in the whole CPython code base using attached py_decref_replace.spatch "semantic patch". See also issue #16445, I proposed a similar idea (and another semantic patch).
Attached python27_decref_replace.patch patch is the result of the command "spatch -in_place -sp_file py_decref_replace.spatch -dir .".
The patch is quite huge, I didn't read it yet :-)
 Mac/Modules/carbonevt/_CarbonEvtmodule.c | 7 +++++--
 Mac/Modules/list/_Listmodule.c | 7 +++++--
 Modules/_bsddb.c | 42 ++++++++++++++++++++++++++++++------------
 Modules/_csv.c | 7 +++++--
 Modules/_ctypes/_ctypes.c | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------------------
 Modules/_curses_panel.c | 7 +++++--
 Modules/_elementtree.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---------------------
 Modules/_json.c | 7 +++++--
 Modules/_sqlite/connection.c | 28 ++++++++++++++++++++--------
 Modules/_sqlite/cursor.c | 42 ++++++++++++++++++++++++++++++------------
 Modules/bz2module.c | 9 +++++----
 Modules/cPickle.c | 36 +++++++++++++++++++++++++++---------
 Modules/flmodule.c | 28 ++++++++++++++++++++--------
 Modules/itertoolsmodule.c | 7 +++++--
 Modules/selectmodule.c | 7 +++++--
 Modules/signalmodule.c | 7 +++++--
 Modules/svmodule.c | 7 +++++--
 Modules/zlibmodule.c | 23 +++++++++++++++--------
 Objects/descrobject.c | 7 +++++--
 Objects/exceptions.c | 21 +++++++++++++++------
 Objects/fileobject.c | 14 ++++++++++----
 Objects/funcobject.c | 7 +++++--
 Objects/typeobject.c | 21 +++++++++++++++------
 Python/ceval.c | 7 +++++--
 Python/sysmodule.c | 7 +++++--
 25 files changed, 382 insertions(+), 152 deletions(-)

We should maybe use a macro (ex: Py_DECREC_REPLACE) instead of copying the pattern "{ PyObject *tmp = obj->attr; obj->attr = new_value; Py_DECREF(tmp); }".

Yes, the macro appropriate here.
In Modules/zlibmodule.c this patterns should be fixed by patch for issue16350.

- For the replacement with NULL, Py_CLEAR() should be used instead.
- We should use a macro (Py_REF_ASSIGN?) for the replacement case.
- Careful, in Modules/_json.c the code is wrong because tmp is already used::
 PyObject *tmp = PyUnicode_AsEncodedString(...);
 {
 PyObject *tmp = s->encoding;
 s->encoding = tmp;
 Py_DECREF(tmp);
 }

Yes, we should add a "Py_REPLACE()" macro. Sure. +1 to that.
With this issue in mind, I wonder if there is any situation where "Py_DECREF/Py_XDECREF" must be used that can not be replace with "Py_CLEAR/Py_REPLACE".
Is there any code that breaks if we replace "Py_XDECREF()" by "Py_CLEAR()"?. Could be possible even to replace Py_DECREF definition?.

Patch for the immediate issue, for Python 2.7. The Py_DECREF is delayed until after setting *both* ht_name and tp_name.

And the corresponding patch against 3.2 (applies cleanly to 3.3 and default, modulo Misc/NEWS fixes).

New changeset d5e5017309b1 by Mark Dickinson in branch '2.7':
Issue #16447: Fix potential segfault when setting __name__ on a class.
http://hg.python.org/cpython/rev/d5e5017309b1 

New changeset e6d1328412c8 by Mark Dickinson in branch '3.3':
Issue #16447: Fix potential segfault when setting __name__ on a class.
http://hg.python.org/cpython/rev/e6d1328412c8
New changeset c8d771f10022 by Mark Dickinson in branch 'default':
Issue #16447: Merge fix from 3.3.
http://hg.python.org/cpython/rev/c8d771f10022 

Fixed.