The 'call_method' and 'call_maybe' function in typeobject.c are leaking
a reference on 'func' in cases where 'args == NULL'.  In this case both 
of these functions exit like so:

    if (args == NULL)
        return NULL;

When they need to do:

    if (args == NULL)
    {
        Py_DECREF(func);
        return NULL;
    }

Thanks, here is a patch with the proposed fix. I also removed an unused macro.

Do you have an easy way to verify this, e.g. by calling a method from Python with invalid arguments? Or is this just something you found by inspection?

Found this with code inspection

I think this usage of 'call_method' from typeobject.c would cause it to leak.

static PyObject*
slot_sq_slice(PyObject *self, Py_ssize_t i, Py_ssize_t j)
{
	static PyObject *getslice_str;

	if (PyErr_WarnPy3k("in 3.x, __getslice__ has been removed; "
			    "use __getitem__", 1) < 0)
		return NULL;
	return call_method(self, "__getslice__", &getslice_str,
		"nn", i, j);      <<<<<<< Maybe Bad Format Str <<<<<<<
}

Looks like the only place in 'call_method' that could cause args to be NULL is if 'Py_VaBuildValue' which calls 'va_build_value' returns NULL.  'va_build_value' calls 'countformat' on the format string and 'countformat' looks for some escaping in the format string.  If no special format characters like '(' or '{' are not found, then the count might be incremented but when the NULL terminator on the end of the string is hit, the 'countformat' will return -1.

So I believe this method has a bug because it doesn't look to be using the formatter correctly and also it looks like it might cause a leak.

I'll file a seperate bug on 'countformat'

Could you provide actual code where a reference is leaked? To me, this looks like hypothetical failure rather than something that has a chance of occurring - feel free to prove me wrong, though :) Please also include relevant tests.

I don’t see any bug with countformat(), but if you can explain in more detail that would be good.

Myron, you are right that the build-value function has to fail to trigger this leak. But from my reading of the code, I think it would probably only happen for an out-of-memory error (e.g. allocating the tuple return value). Both call_method() and call_maybe() are static, and all the call sites look like they give valid format strings that would not fail except for the out-of-memory condition.

Emanuel: if this can only produced by an out-of-memory error, it would be hard to demonstrate the leak. (Maybe use Victor Stinner’s malloc failure tool? I never tried it.) But IMO the code is incorrect as it is. If it is going to be handling an error, it should be cleaning up properly.

I believe this issue is out of date. There are no longer such functions as call_method and call_maybe. There are vectorcall_method and vectorcall_maybe, but they don't have that check for (args == NULL).