Bug 791280 - Memory leaks and crasher in sphinx3_get_hypothesis found in cmusphinx3-0.8-10.fc17 using gcc-with-cpychecker static analyzer
Memory leaks and crasher in sphinx3_get_hypothesis found in cmusphinx3-0.8-10...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: cmusphinx3 (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jerry James
Fedora Extras Quality Assurance
http://fedorapeople.org/~dmalcolm/gcc...
:
Depends On:
Blocks: cpychecker
  Show dependency treegraph
 
Reported: 2012-02-16 11:22 EST by Dave Malcolm
Modified: 2012-02-28 05:58 EST (History)
1 user (show)

See Also:
Fixed In Version: cmusphinx3-0.8-11.fc17
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-28 05:58:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Dave Malcolm 2012-02-16 11:22:04 EST
Description of problem:
I've been writing an experimental static analysis tool to detect bugs commonly occurring within C Python extension modules:
  https://fedorahosted.org/gcc-python-plugin/
  http://gcc-python-plugin.readthedocs.org/en/latest/cpychecker.html
  http://fedoraproject.org/wiki/Features/StaticAnalysisOfPythonRefcounts

I ran the latest version of the tool (in git master; post 0.9) on
cmusphinx3-0.8-10.fc17.src.rpm, and it reports various errors.

You can see a list of errors here, triaged into categories (from most significant to least significant):
http://fedorapeople.org/~dmalcolm/gcc-python-plugin/2012-02-16/cmusphinx3-0.8-10.fc17/

The two reported reference leaks appear to be genuine bugs: in this code:
   231    return Py_BuildValue("(OO)", hypstr_obj, hypseg_obj);
both hypstr_obj and hypseg_obj are references owned by the function.

The "O" format codes to Py_BuildValue build the 2-tuple by adding additional references.  It should instead use the "N" format code to transfer ownership of the owned references to the new tuple.  See:
  http://docs.python.org/c-api/arg.html#Py_BuildValue

The reported "Segfaults within error-handling paths" appears to also be a genuine bug: there isn't any checking for the possibility that this call:
  206 	hypseg_obj = PyTuple_New(nhyps);
fails (e.g. under low-memory conditions), returning NULL, and this pointer is then written through at:
  228 		PyTuple_SET_ITEM(hypseg_obj, i, seg_obj);

There may of course be other bugs in my checker tool.

Hope this is helpful; let me know if you need help reading the logs that the tool generates - I know that it could use some improvement.

Version-Release number of selected component (if applicable):
cmusphinx3-0.8-10.fc17
gcc-python-plugin post-0.9 git 073d390de53ef52136bd90e5ac06f1ef833d047d running the checker in an *f16* chroot
Comment 1 Jerry James 2012-02-16 11:33:53 EST
Ah, very cool.  I'm a big fan of static analysis tools myself.  I'll forward your report upstream and work with them to fix these bugs.  Thanks!
Comment 2 Jerry James 2012-02-17 13:28:40 EST
A patch to fix both issues was accepted upstream.  I'll apply the patch and rebuild.  Thanks again.
Comment 3 Fedora Update System 2012-02-17 15:36:57 EST
cmusphinx3-0.8-11.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/cmusphinx3-0.8-11.fc17
Comment 4 Fedora Update System 2012-02-17 21:24:56 EST
Package cmusphinx3-0.8-11.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing cmusphinx3-0.8-11.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-1945/cmusphinx3-0.8-11.fc17
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2012-02-28 05:58:48 EST
cmusphinx3-0.8-11.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.