It appears that there is some issue with method resolution. When using _io.TextIOWrapper, it's fine but not when using _io._TextIOBase.

Note: _io.TextIOWrapper.detach is a different function by the way.
Note 2: It actually happens with all method descriptors of _TextIOBase.

This also crashes:

import io, _io
_io._TextIOBase.read.__get__(io.StringIO())

It appears that there is some issue with method resolution. When using _io.TextIOWrapper, it's fine but not when using _io._TextIOBase.

As I understand it, the _TextIOBase class is an abstract class because it inherits from the abstract IOBase class and does not implement all of its methods. TextIOWrapper, on the other hand, implements all the methods of the parent abstract class and executes its methods directly.

Actually, I'm not sure about the resolution. It's as if there was a missing tp_flag somewhere or something else. It doesn't seem to occur with other static types. I don't have time to investigate though.

In addition to _TextIOBase, the _IOBase, _BufferedIOBase, BufferedReader and BufferedWriter classes are also affected.

Example: import io, _io; _io._IOBase.truncate.__get__(io.StringIO()).

From what I can tell, this is a nasty bug related to descriptors themselves, not _io. You can trigger the same crash with _queue, for example:

import _queue
print(_queue.SimpleQueue.get.__get__(_queue.SimpleQueue()))

This seems to affect all heap types with methods. The issue is that method_get doesn't expect the type to be NULL. I think we just need a guard.

I'm really suprised that nobody noticed this for this long.

I guess nobody noticed this bug before because nobody calls those __get__ methods with only one argument. I only found it accidentally by running Python code that calls all the non-Python __get__ methods it can find on objects in memory, without passing the second argument.

Thanks for the report @Changaco and the fix @ZeroIntensity