Red Hat Bugzilla – Bug 795002
Possible segfaults under low memory conditions found in net-snmp-5.7.1-4.fc17 using gcc-with-cpychecker static analyzer
Last modified: 2012-02-28 04:01:54 EST
Description of problem:
I've been writing an experimental static analysis tool to detect bugs commonly occurring within C Python extension modules:
I ran the latest version of the tool (in git master; post 0.9) on
net-snmp-5.7.1-4.fc17.src.rpm, and it reports various errors.
You can see a list of errors here, triaged into categories (from most significant to least significant):
I've manually reviewed the issues reported by the tool.
Within the category "Reference leak within initialization" the 1 issue reported looks inconsequential
Within the category "Segfaults within error-handling paths" the first issue reported:
netsnmp/client_intf.c:py_netsnmp_attr_set_string:dereferencing NULL (val_obj->ob_refcnt) at netsnmp/client_intf.c:1190
looks like a genuine bug: this could segfault under low-memory conditions (where the call to Py_BuildValue() fails and returns NULL).
The other two bugs are similar, but PyInt_FromLong() is unlikely to fail (it will always succeed for the range -5..255); if the numbers are more negative that than, it could segfault in the same way.
Within the category "Returning (PyObject*)NULL without setting an exception" the 1 issue reported looks like a false positive.
There may of course be other bugs in my checker tool.
Hope this is helpful; let me know if you need help reading the logs that the tool generates - I know that it could use some improvement.
Version-Release number of selected component (if applicable):
gcc-python-plugin post-0.9 git 771455b3128b1323e80bdda53939d8d140a84c68 running the checker in an *f16* chroot
The tool looks nice. I fixed the 3 "Segfaults within error-handling paths" bugs upstream:
I am not a Python guy, I just blindly fixed what seemed to be really wrong.
I wonder, in the reports I can see "found 11 similar trace(s) to this", does it mean there are other bugs somewhere?