octave-bug-tracker
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Octave-bug-tracker] [bug #47246] segfault in findobj.m when compiling w

From: John W. Eaton
Subject: [Octave-bug-tracker] [bug #47246] segfault in findobj.m when compiling with clang
Date: Wed, 24 Feb 2016 21:05:50 +0000
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0 Iceweasel/44.0 
Follow-up Comment #4, bug #47246 (project octave):

Hmm, this is an odd one.  The attached patch avoids the crash for me.  But if
I move this code into the idx_vector::idx_vector_rep::as_array class (instead
of setting the aowner pointer and just generating the output Array on the fly
at each call) then I still see a crash.  And gdb is saying that the crash is
in idx_vector::copy_data but I don't see how that function is being called. 
The stack trace is strange:


octave:1> findobj tag foo tag foo tag foo

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5af050a in idx_vector::copy_data (this=0xcec76c, data=0x1) at
/home/jwe/src/octave/liboctave/array/idx-vector.cc:1027
1027      octave_idx_type len = rep->length (0);
(gdb) where
#0  0x00007ffff5af050a in idx_vector::copy_data (this=0xcec76c, data=0x1) at
/home/jwe/src/octave/liboctave/array/idx-vector.cc:1027
#1  0x0000000000d2ab90 in ?? ()
#2  0x00007fffffff9ef8 in ?? ()
#3  0x0000000000000001 in ?? ()
#4  0x0000000000d2ab90 in ?? ()
#5  0x00007fffffff9ef8 in ?? ()
#6  0x00007fffffff9f78 in ?? ()
#7  0x0000000000d2ab90 in ?? ()
#8  0x0000000000d2ab90 in ?? ()
#9  0x00007fffffff9f90 in ?? ()
#10 0x00007ffff704dafa in octave_lazy_index::sort (this=0xd2ab90, dim=0,
mode=(unknown: 13806480)) at
/home/jwe/src/octave/libinterp/octave-value/ov-lazy-idx.cc:112
Backtrace stopped: frame did not save the PC


If I set a breakpoint in idx_vector::copy_data execution doesn't stop there
before the crash.

So possibly some kind of data overrun is trashing the stack?  I don't know.

Running with valgrind shows


octave:1> findobj tag foo tag foo tag foo
==17548== Invalid read of size 8
==17548==    at 0x6F36507: idx_vector::copy_data(int*) const
(idx-vector.cc:1027)
==17548==    by 0x27A8568F: ???
==17548==    by 0x5989AF9: octave_lazy_index::sort(int, sortmode) const
(ov-lazy-idx.cc:112)
==17548==    by 0x5443673: octave_value::sort(int, sortmode) const (in
/scratch/jwe/build/octave-clang/libinterp/.libs/liboctinterp.so.3.0.0)
==17548==    by 0x5B82204: Fsort(octave_value_list const&, int)
(data.cc:6480)
==17548==    by 0x589AC38: octave_builtin::do_multi_index_op(int,
octave_value_list const&, std::__cxx11::list<octave_lvalue,
std::allocator<octave_lvalue> > const*) (ov-builtin.cc:125)
==17548==    by 0x589A84F:
octave_builtin::subsref(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&,
std::__cxx11::list<octave_value_list, std::allocator<octave_value_list> >
const&, int, std::__cxx11::list<octave_lvalue, std::allocator<octave_lvalue> >
const*) (ov-builtin.cc:63)
==17548==    by 0x589A6B6:
octave_builtin::subsref(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&,
std::__cxx11::list<octave_value_list, std::allocator<octave_value_list> >
const&, int) (ov-builtin.cc:46)
==17548==    by 0x589B3A1:
octave_builtin::subsref(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&,
std::__cxx11::list<octave_value_list, std::allocator<octave_value_list> >
const&) (ov-builtin.h:64)
==17548==    by 0x59CF83D:
octave_value::subsref(std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> > const&, std::__cxx11::list<octave_value_list,
std::allocator<octave_value_list> > const&, int) (ov.cc:1197)
==17548==    by 0x59CF984:
octave_value::subsref(std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> > const&, std::__cxx11::list<octave_value_list,
std::allocator<octave_value_list> > const&, int,
std::__cxx11::list<octave_lvalue, std::allocator<octave_lvalue> > const*)
(ov.cc:1210)
==17548==    by 0x5AACD00: tree_index_expression::rvalue(int,
std::__cxx11::list<octave_lvalue, std::allocator<octave_lvalue> > const*)
(pt-idx.cc:428)
==17548==  Address 0x265434dc is 12 bytes inside a block of size 16 alloc'd
==17548==    at 0x4C2A1AF: operator new(unsigned long)
(vg_replace_malloc.c:333)
==17548==    by 0x59932D4: Array<int>::Array(dim_vector const&) (Array.h:185)
==17548==    by 0x6F3404A: idx_vector::idx_vector_rep::as_array()
(idx-vector.cc:607)
==17548==    by 0x6F364EF: idx_vector::as_array() const (idx-vector.cc:1249)
==17548==    by 0x5989AF9: octave_lazy_index::sort(int, sortmode) const
(ov-lazy-idx.cc:112)
==17548==    by 0x5443673: octave_value::sort(int, sortmode) const (in
/scratch/jwe/build/octave-clang/libinterp/.libs/liboctinterp.so.3.0.0)
==17548==    by 0x5B82204: Fsort(octave_value_list const&, int)
(data.cc:6480)
==17548==    by 0x589AC38: octave_builtin::do_multi_index_op(int,
octave_value_list const&, std::__cxx11::list<octave_lvalue,
std::allocator<octave_lvalue> > const*) (ov-builtin.cc:125)
==17548==    by 0x589A84F:
octave_builtin::subsref(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&,
std::__cxx11::list<octave_value_list, std::allocator<octave_value_list> >
const&, int, std::__cxx11::list<octave_lvalue, std::allocator<octave_lvalue> >
const*) (ov-builtin.cc:63)
==17548==    by 0x589A6B6:
octave_builtin::subsref(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&,
std::__cxx11::list<octave_value_list, std::allocator<octave_value_list> >
const&, int) (ov-builtin.cc:46)
==17548==    by 0x589B3A1:
octave_builtin::subsref(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&,
std::__cxx11::list<octave_value_list, std::allocator<octave_value_list> >
const&) (ov-builtin.h:64)
==17548==    by 0x59CF83D:
octave_value::subsref(std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> > const&, std::__cxx11::list<octave_value_list,
std::allocator<octave_value_list> > const&, int) (ov.cc:1197)
==17548== 
==17548== Invalid read of size 8
==17548==    at 0x6F3650A: idx_vector::copy_data(int*) const
(idx-vector.cc:1027)
==17548==    by 0x27A8568F: ???
==17548==    by 0x5989AF9: octave_lazy_index::sort(int, sortmode) const
(ov-lazy-idx.cc:112)
==17548==    by 0x5443673: octave_value::sort(int, sortmode) const (in
/scratch/jwe/build/octave-clang/libinterp/.libs/liboctinterp.so.3.0.0)
==17548==    by 0x5B82204: Fsort(octave_value_list const&, int)
(data.cc:6480)
==17548==    by 0x589AC38: octave_builtin::do_multi_index_op(int,
octave_value_list const&, std::__cxx11::list<octave_lvalue,
std::allocator<octave_lvalue> > const*) (ov-builtin.cc:125)
==17548==    by 0x589A84F:
octave_builtin::subsref(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&,
std::__cxx11::list<octave_value_list, std::allocator<octave_value_list> >
const&, int, std::__cxx11::list<octave_lvalue, std::allocator<octave_lvalue> >
const*) (ov-builtin.cc:63)
==17548==    by 0x589A6B6:
octave_builtin::subsref(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&,
std::__cxx11::list<octave_value_list, std::allocator<octave_value_list> >
const&, int) (ov-builtin.cc:46)
==17548==    by 0x589B3A1:
octave_builtin::subsref(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&,
std::__cxx11::list<octave_value_list, std::allocator<octave_value_list> >
const&) (ov-builtin.h:64)
==17548==    by 0x59CF83D:
octave_value::subsref(std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> > const&, std::__cxx11::list<octave_value_list,
std::allocator<octave_value_list> > const&, int) (ov.cc:1197)
==17548==    by 0x59CF984:
octave_value::subsref(std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> > const&, std::__cxx11::list<octave_value_list,
std::allocator<octave_value_list> > const&, int,
std::__cxx11::list<octave_lvalue, std::allocator<octave_lvalue> > const*)
(ov.cc:1210)
==17548==    by 0x5AACD00: tree_index_expression::rvalue(int,
std::__cxx11::list<octave_lvalue, std::allocator<octave_lvalue> > const*)
(pt-idx.cc:428)
==17548==  Address 0x2 is not stack'd, malloc'd or (recently) free'd
==17548== 
panic: Segmentation fault -- stopping myself...
attempting to save variables to 'octave-workspace'...
save to 'octave-workspace' complete
==17548== 
==17548== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==17548==    at 0x83E9529: raise (pt-raise.c:36)
==17548==    by 0x5F7BE54: my_friendly_exit(char const*, int, bool)
(sighandlers.cc:351)
==17548==    by 0x5F797F2: generic_sig_handler(int) (sighandlers.cc:393)
==17548==    by 0x83E965F: ??? (in /lib/x86_64-linux-gnu/libpthread-2.21.so)
==17548==    by 0x6F36509: idx_vector::copy_data(int*) const
(idx-vector.cc:1027)
==17548==    by 0x27A8568F: ???
==17548==    by 0x5989AF9: octave_lazy_index::sort(int, sortmode) const
(ov-lazy-idx.cc:112)
==17548==    by 0x5443673: octave_value::sort(int, sortmode) const (in
/scratch/jwe/build/octave-clang/libinterp/.libs/liboctinterp.so.3.0.0)
==17548==    by 0x5B82204: Fsort(octave_value_list const&, int)
(data.cc:6480)
==17548==    by 0x589AC38: octave_builtin::do_multi_index_op(int,
octave_value_list const&, std::__cxx11::list<octave_lvalue,
std::allocator<octave_lvalue> > const*) (ov-builtin.cc:125)
==17548==    by 0x589A84F:
octave_builtin::subsref(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&,
std::__cxx11::list<octave_value_list, std::allocator<octave_value_list> >
const&, int, std::__cxx11::list<octave_lvalue, std::allocator<octave_lvalue> >
const*) (ov-builtin.cc:63)
==17548==    by 0x589A6B6:
octave_builtin::subsref(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&,
std::__cxx11::list<octave_value_list, std::allocator<octave_value_list> >
const&, int) (ov-builtin.cc:46)
==17548== 
==17548== HEAP SUMMARY:
==17548==     in use at exit: 41,355,146 bytes in 70,520 blocks
==17548==   total heap usage: 326,566 allocs, 256,046 frees, 90,159,786 bytes
allocated
==17548== 
==17548== LEAK SUMMARY:
==17548==    definitely lost: 975 bytes in 121 blocks
==17548==    indirectly lost: 0 bytes in 0 blocks
==17548==      possibly lost: 55,132 bytes in 3,345 blocks
==17548==    still reachable: 41,299,039 bytes in 67,054 blocks
==17548==                       of which reachable via heuristic:
==17548==                         newarray           : 211,632 bytes in 1,776
blocks
==17548==         suppressed: 0 bytes in 0 blocks
==17548== Rerun with --leak-check=full to see details of leaked memory
==17548== 
==17548== For counts of detected and suppressed errors, rerun with: -v
==17548== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Killed


That doesn't really give me much of a clue because the data read error doesn't
happen until after copy_data is called, and as far as I can tell, it is not
supposed to be called at any point from idx_vector::idx_vector_rep::as_array.

(file #36452)
    _______________________________________________________

Additional Item Attachment:

File name: diffs.txt                      Size:0 KB


    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?47246>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]