794995 – Memory leak in py_object_call found in lunatic-python-1.0.1-0.6.20090917bzr.fc17 using gcc-with-cpychecker static analyzer

Bug 794995 - Memory leak in py_object_call found in lunatic-python-1.0.1-0.6.20090917bzr.fc17 using gcc-with-cpychecker static analyzer

Summary: Memory leak in py_object_call found in lunatic-python-1.0.1-0.6.20090917bzr.f...

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	lunatic-python
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Gwyn Ciesla
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:	http://fedorapeople.org/~dmalcolm/gcc...
Whiteboard:
Depends On:
Blocks:	cpychecker
TreeView+	depends on / blocked

Reported:	2012-02-18 15:30 UTC by Dave Malcolm
Modified:	2012-02-20 17:10 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-02-20 16:42:00 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Dave Malcolm 2012-02-18 15:30:03 UTC

Description of problem:
I've been writing an experimental static analysis tool to detect bugs commonly occurring within C Python extension modules:
  https://fedorahosted.org/gcc-python-plugin/
  http://gcc-python-plugin.readthedocs.org/en/latest/cpychecker.html
  http://fedoraproject.org/wiki/Features/StaticAnalysisOfPythonRefcounts

I ran the latest version of the tool (in git master; post 0.9) on
lunatic-python-1.0.1-0.6.20090917bzr.fc17.src.rpm, and it reports various errors.

You can see a list of errors here, triaged into categories (from most significant to least significant):
http://fedorapeople.org/~dmalcolm/gcc-python-plugin/2012-02-18/lunatic-python-1.0.1-0.6.20090917bzr.fc17/

I've manually reviewed the issues reported by the tool.

Within the category "Reference leaks" the 1 issues reported
  src/pythoninlua.c:py_object_call:ob_refcnt of '*args' is 1 too high
appears to be a genuine bug: the "args" is tuple is allocated, populated, and passed to PyObject_CallObject(), but nothing seems to do a Py_DECREF() on it, hence the tuple of arguments becomes immortal for the rest of the lifetime of the process.  If I'm reading this correctly, every call to py_object_call will leak memory.

There may of course be other bugs in my checker tool.

Hope this is helpful; let me know if you need help reading the logs that the tool generates - I know that it could use some improvement.

Version-Release number of selected component (if applicable):
lunatic-python-1.0.1-0.6.20090917bzr.fc17
gcc-python-plugin post-0.9 git 771455b3128b1323e80bdda53939d8d140a84c68 running the checker in an *f16* chroot

Comment 1 Gwyn Ciesla 2012-02-20 15:17:38 UTC

It looks like inserting the following at line 138 would do the trick:

for (i = 0; i != nargs; i++) {
  Py_DECREF(args);
}

Would it not?

Comment 2 Dave Malcolm 2012-02-20 16:22:44 UTC

No, it just needs it once, I think, rather than nargs times: "args" is the whole tuple, which the code owns one reference to.

I think this code just needs a single extra Py_DECREF(args) at around line 137, like this:

     value = PyObject_CallObject(obj->o, args);
+    Py_DECREF(args);
     if (value) {

Comment 3 Gwyn Ciesla 2012-02-20 16:41:46 UTC

Got it, thanks!  Fixed in rawhide.

Comment 4 Dave Malcolm 2012-02-20 16:55:48 UTC

Thanks!  Can you make sure upstream get this report also?

Comment 5 Gwyn Ciesla 2012-02-20 17:10:10 UTC

Will do.

Note You need to log in before you can comment on or make changes to this bug.