800075 – Memory leaks and possible crashers found in newt-0.52.14-2.fc17 using gcc-with-cpychecker static analyzer

Bug 800075 - Memory leaks and possible crashers found in newt-0.52.14-2.fc17 using gcc-with-cpychecker static analyzer

Summary: Memory leaks and possible crashers found in newt-0.52.14-2.fc17 using gcc-wit...

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	newt
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Lichvar
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:	http://fedorapeople.org/~dmalcolm/gcc...
Whiteboard:
Depends On:
Blocks:	cpychecker
TreeView+	depends on / blocked

Reported:	2012-03-05 17:19 UTC by Dave Malcolm
Modified:	2013-03-21 18:38 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2013-03-21 18:38:30 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Dave Malcolm 2012-03-05 17:19:21 UTC

Description of problem:
I've been writing an experimental static analysis tool to detect bugs commonly occurring within C Python extension modules:
  https://fedorahosted.org/gcc-python-plugin/
  http://gcc-python-plugin.readthedocs.org/en/latest/cpychecker.html
  http://fedoraproject.org/wiki/Features/StaticAnalysisOfPythonRefcounts

I ran the latest version of the tool (in git master; post 0.9) on
newt-0.52.14-2.fc17.src.rpm, and it reports various errors.

You can see a list of errors here, triaged into categories (from most significant to least significant):
http://fedorapeople.org/~dmalcolm/gcc-python-plugin/2012-03-05/newt-0.52.14-2.fc17/

I've manually reviewed the issues reported by the tool.

Within the category "Reference leaks" the 6 issues reported appear to be genuine memory leaks (although the line numbering seems to be slightly incorrect):  within snackmodule.c:widgetListboxGetSel, "sel" gets allocated twice: with a non-empty selection, every call will leak the first list allocated (at line 1097).  Also the reference to the PyIntObject allocated at PyInt_FromLong((long) selection[i])) will be leaked (since PyList_Append adds a new reference, rather than stealing the one passed in ); if the int is > 256 then this will be a memory leak since a new PyIntObject will be allocated.

The bugs in widgetCheckboxTreeGetSel appear to be analogous to those in widgetListboxGetSel.


Within the category "Reference leak within initialization" the 2 issues reported are inconsequential (this code is called only once, at import).

Within the category "Segfaults within error-handling paths" the 10 issues reported look like genuine bugs, in that crashes could occur here under low-memory conditions (i.e. where an allocation fails, and the indicated call returns a NULL).

Within the category "Returning (PyObject*)NULL without setting an exception" the 1 issue reported may or may not be a genuine bug  (if it is, it's a minor one), depending on whether newtCheckboxTreeGetEntryValue sets an exception when it returns -1.

There may of course be other bugs in my checker tool.

Hope this is helpful; let me know if you need help reading the logs that the tool generates - I know that it could use some improvement.

Version-Release number of selected component (if applicable):
newt-0.52.14-2.fc17
gcc-python-plugin post-0.9 git 11462291a66c8db693c8884cb84b795bb5988ffb running the checker in an *f16* chroot

Comment 1 Miroslav Lichvar 2013-03-21 18:38:30 UTC

All reported problems should be fixed by:
http://git.fedorahosted.org/cgit/newt.git/commit/?id=c104daae027a1835e66d277dd292a1eb21f86baa

Thanks for the report, it's a very nice tool!

Note You need to log in before you can comment on or make changes to this bug.