Bug 791280

Summary: Memory leaks and crasher in sphinx3_get_hypothesis found in cmusphinx3-0.8-10.fc17 using gcc-with-cpychecker static analyzer
Product: [Fedora] Fedora Reporter: Dave Malcolm <dmalcolm>
Component: cmusphinx3Assignee: Jerry James <loganjerry>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: loganjerry
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: http://fedorapeople.org/~dmalcolm/gcc-python-plugin/2012-02-16/cmusphinx3-0.8-10.fc17/
Whiteboard:
Fixed In Version: cmusphinx3-0.8-11.fc17 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-28 10:58:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 789472    

Description Dave Malcolm 2012-02-16 16:22:04 UTC 
Description of problem:
I've been writing an experimental static analysis tool to detect bugs commonly occurring within C Python extension modules:
  https://fedorahosted.org/gcc-python-plugin/
  http://gcc-python-plugin.readthedocs.org/en/latest/cpychecker.html
  http://fedoraproject.org/wiki/Features/StaticAnalysisOfPythonRefcounts

I ran the latest version of the tool (in git master; post 0.9) on
cmusphinx3-0.8-10.fc17.src.rpm, and it reports various errors.

You can see a list of errors here, triaged into categories (from most significant to least significant):
http://fedorapeople.org/~dmalcolm/gcc-python-plugin/2012-02-16/cmusphinx3-0.8-10.fc17/

The two reported reference leaks appear to be genuine bugs: in this code:
   231    return Py_BuildValue("(OO)", hypstr_obj, hypseg_obj);
both hypstr_obj and hypseg_obj are references owned by the function.

The "O" format codes to Py_BuildValue build the 2-tuple by adding additional references.  It should instead use the "N" format code to transfer ownership of the owned references to the new tuple.  See:
  http://docs.python.org/c-api/arg.html#Py_BuildValue

The reported "Segfaults within error-handling paths" appears to also be a genuine bug: there isn't any checking for the possibility that this call:
  206 	hypseg_obj = PyTuple_New(nhyps);
fails (e.g. under low-memory conditions), returning NULL, and this pointer is then written through at:
  228 		PyTuple_SET_ITEM(hypseg_obj, i, seg_obj);

There may of course be other bugs in my checker tool.

Hope this is helpful; let me know if you need help reading the logs that the tool generates - I know that it could use some improvement.

Version-Release number of selected component (if applicable):
cmusphinx3-0.8-10.fc17
gcc-python-plugin post-0.9 git 073d390de53ef52136bd90e5ac06f1ef833d047d running the checker in an *f16* chroot
Comment 1 Jerry James 2012-02-16 16:33:53 UTC 
Ah, very cool.  I'm a big fan of static analysis tools myself.  I'll forward your report upstream and work with them to fix these bugs.  Thanks!
Comment 2 Jerry James 2012-02-17 18:28:40 UTC 
A patch to fix both issues was accepted upstream.  I'll apply the patch and rebuild.  Thanks again.
Comment 3 Fedora Update System 2012-02-17 20:36:57 UTC 
cmusphinx3-0.8-11.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/cmusphinx3-0.8-11.fc17
Comment 4 Fedora Update System 2012-02-18 02:24:56 UTC 
Package cmusphinx3-0.8-11.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing cmusphinx3-0.8-11.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-1945/cmusphinx3-0.8-11.fc17
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2012-02-28 10:58:48 UTC 
cmusphinx3-0.8-11.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.