[Octave-bug-tracker] [bug #65431] crash after hgload certain data

octave-bug-tracker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Octave-bug-tracker] [bug #65431] crash after hgload certain data

From:	Dmitri A. Sergatskov
Subject:	[Octave-bug-tracker] [bug #65431] crash after hgload certain data
Date:	Fri, 8 Mar 2024 15:48:30 -0500 (EST)

Follow-up Comment #13, bug #65431 (group octave):

When I run "simple_2_crash" on octave with ASAN and Markus patch #2:

octave:2> simple_2_crash
=================================================================
==3657835==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x62e000107038 at pc 0x7fd892d67225 bp 0x7ffd59b1b6d0 sp 0x7ffd59b1b6c8
READ of size 8 at 0x62e000107038 thread T0
    #0 0x7fd892d67224 in
octave::opengl_renderer::draw_patch(octave::patch::properties const&)
../libinterp/corefcn/gl-render.cc:3367
    #1 0x7fd892d37d0b in octave::opengl_renderer::draw(octave::graphics_object
const&, bool) ../libinterp/corefcn/gl-render.cc:735
    #2 0x7fd892d51984 in
octave::opengl_renderer::draw_axes_children(octave::axes::properties const&)
../libinterp/corefcn/gl-render.cc:2277
    #3 0x7fd892d52c61 in
octave::opengl_renderer::draw_axes(octave::axes::properties const&)
../libinterp/corefcn/gl-render.cc:2363
    #4 0x7fd892d378cd in octave::opengl_renderer::draw(octave::graphics_object
const&, bool) ../libinterp/corefcn/gl-render.cc:729
    #5 0x7fd892d75ceb in octave::opengl_renderer::draw(Matrix const&, bool)
../libinterp/corefcn/gl-render.cc:4182
    #6 0x7fd892d3a0c6 in
octave::opengl_renderer::draw_figure(octave::figure::properties const&)
../libinterp/corefcn/gl-render.cc:797
    #7 0x7fd892d37763 in octave::opengl_renderer::draw(octave::graphics_object
const&, bool) ../libinterp/corefcn/gl-render.cc:727
    #8 0x7fd894579a71 in octave::GLWidget::draw(octave::graphics_object)
../libgui/graphics/GLCanvas.cc:79
    #9 0x7fd89457cf17 in octave::GLCanvas::draw(octave_handle const&)
../libgui/graphics/GLCanvas.cc:319
    #10 0x7fd89453355a in octave::Canvas::canvasPaintEvent()
../libgui/graphics/Canvas.cc:286
    #11 0x7fd89457c796 in octave::GLWidget::paintGL()
../libgui/graphics/GLCanvas.cc:215
    #12 0x7fd8956b6024 in QOpenGLWidgetPrivate::render()
(/lib64/libQt6OpenGLWidgets.so.6+0x9024)
    #13 0x7fd890a1ae57 in QWidget::event(QEvent*)
(/lib64/libQt6Widgets.so.6+0x21ae57)
    #14 0x7fd8909c17b5 in QApplicationPrivate::notify_helper(QObject*,
QEvent*) (/lib64/libQt6Widgets.so.6+0x1c17b5)
    #15 0x7fd89488824f in octave::octave_qapplication::notify(QObject*,
QEvent*) ../libgui/src/octave-qobject.cc:148
    #16 0x7fd88f76dbe7 in QCoreApplication::notifyInternal2(QObject*, QEvent*)
../src/corelib/kernel/qcoreapplication.cpp:1118
    #17 0x7fd890a12ba9 in QWidgetPrivate::sendPaintEvent(QRegion const&)
(/lib64/libQt6Widgets.so.6+0x212ba9)
    #18 0x7fd890a26253 in QWidgetRepaintManager::paintAndFlush()
(/lib64/libQt6Widgets.so.6+0x226253)
    #19 0x7fd890a1b5bb in QWidget::event(QEvent*)
(/lib64/libQt6Widgets.so.6+0x21b5bb)
    #20 0x7fd894579196 in octave::FigureWindowBase::event(QEvent*)
libgui/graphics/moc-FigureWindow.h:35
    #21 0x7fd8909c17b5 in QApplicationPrivate::notify_helper(QObject*,
QEvent*) (/lib64/libQt6Widgets.so.6+0x1c17b5)
    #22 0x7fd89488824f in octave::octave_qapplication::notify(QObject*,
QEvent*) ../libgui/src/octave-qobject.cc:148
    #23 0x7fd88f76dbe7 in QCoreApplication::notifyInternal2(QObject*, QEvent*)
../src/corelib/kernel/qcoreapplication.cpp:1118
    #24 0x7fd88f771327 in QCoreApplicationPrivate::sendPostedEvents(QObject*,
int, QThreadData*) ../src/corelib/kernel/qcoreapplication.cpp:1898
    #25 0x7fd88f9fd586 in postEventSourceDispatch
../src/corelib/kernel/qeventdispatcher_glib.cpp:243
    #26 0x7fd88baefe3e in g_main_context_dispatch
(/lib64/libglib-2.0.so.0+0x54e3e)
    #27 0x7fd88bb44ec7 in g_main_context_iterate.constprop.0
(/lib64/libglib-2.0.so.0+0xa9ec7)
    #28 0x7fd88baed77f in g_main_context_iteration
(/lib64/libglib-2.0.so.0+0x5277f)
    #29 0x7fd88f9fcd5d in
QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
(/lib64/libQt6Core.so.6+0x3fcd5d)
    #30 0x7fd88f77a192 in
QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>)
(/lib64/libQt6Core.so.6+0x17a192)
    #31 0x7fd88f776205 in QCoreApplication::exec()
(/lib64/libQt6Core.so.6+0x176205)
    #32 0x7fd89488b856 in octave::base_qobject::exec()
../libgui/src/octave-qobject.cc:427
    #33 0x7fd8948c0d7e in octave::qt_application::execute()
../libgui/src/qt-application.cc:102
    #34 0x403db8 in main ../src/main-gui.cc:150
    #35 0x7fd88b8296cf in __libc_start_call_main (/lib64/libc.so.6+0x296cf)
    #36 0x7fd88b829788 in __libc_start_main_alias_2
(/lib64/libc.so.6+0x29788)
    #37 0x403384 in _start
(/home/dima/src/octave/gcc_asan/src/.libs/lt-octave-gui+0x403384)

0x62e000107038 is located 0 bytes to the right of 44088-byte region
[0x62e0000fc400,0x62e000107038)
allocated by thread T0 here:
    #0 0x7fd8950bb138 in operator new(unsigned long)
(/lib64/libasan.so.8+0xbb138)
    #1 0x7fd89451a949 in std::__new_allocator<double>::allocate(unsigned long,
void const*) /usr/include/c++/12/bits/new_allocator.h:137
    #2 0x7fd89451a28c in std::allocator_traits<std::allocator<double>
>::allocate(std::allocator<double>&, unsigned long)
/usr/include/c++/12/bits/alloc_traits.h:464
    #3 0x7fd89451a17a in Array<double, std::allocator<double>
>::ArrayRep::allocate(unsigned long) ../liboctave/array/Array.h:198
    #4 0x7fd89454a4fd in Array<double, std::allocator<double>
>::ArrayRep::ArrayRep(long) ../liboctave/array/Array.h:167
    #5 0x7fd894548ece in Array<double, std::allocator<double>
>::Array(dim_vector const&) ../liboctave/array/Array.h:285
    #6 0x7fd894546f86 in MArray<double>::MArray(dim_vector const&)
../liboctave/array/MArray.h:69
    #7 0x7fd894543cea in NDArray::NDArray(dim_vector const&)
../liboctave/array/dNDArray.h:45
    #8 0x7fd892dbbd2a in convert_cdata ../libinterp/corefcn/graphics.cc:1028
    #9 0x7fd89309b9ec in octave::patch::properties::get_color_data() const
../libinterp/corefcn/graphics.cc:9428
    #10 0x7fd892d66145 in
octave::opengl_renderer::draw_patch(octave::patch::properties const&)
../libinterp/corefcn/gl-render.cc:3286
    #11 0x7fd892d37d0b in
octave::opengl_renderer::draw(octave::graphics_object const&, bool)
../libinterp/corefcn/gl-render.cc:735
    #12 0x7fd892d51984 in
octave::opengl_renderer::draw_axes_children(octave::axes::properties const&)
../libinterp/corefcn/gl-render.cc:2277
    #13 0x7fd892d52c61 in
octave::opengl_renderer::draw_axes(octave::axes::properties const&)
../libinterp/corefcn/gl-render.cc:2363
    #14 0x7fd892d378cd in
octave::opengl_renderer::draw(octave::graphics_object const&, bool)
../libinterp/corefcn/gl-render.cc:729
    #15 0x7fd892d75ceb in octave::opengl_renderer::draw(Matrix const&, bool)
../libinterp/corefcn/gl-render.cc:4182
    #16 0x7fd892d3a0c6 in
octave::opengl_renderer::draw_figure(octave::figure::properties const&)
../libinterp/corefcn/gl-render.cc:797
    #17 0x7fd892d37763 in
octave::opengl_renderer::draw(octave::graphics_object const&, bool)
../libinterp/corefcn/gl-render.cc:727
    #18 0x7fd894579a71 in octave::GLWidget::draw(octave::graphics_object)
../libgui/graphics/GLCanvas.cc:79
    #19 0x7fd89457cf17 in octave::GLCanvas::draw(octave_handle const&)
../libgui/graphics/GLCanvas.cc:319
    #20 0x7fd89453355a in octave::Canvas::canvasPaintEvent()
../libgui/graphics/Canvas.cc:286
    #21 0x7fd89457c796 in octave::GLWidget::paintGL()
../libgui/graphics/GLCanvas.cc:215
    #22 0x7fd8956b6024 in QOpenGLWidgetPrivate::render()
(/lib64/libQt6OpenGLWidgets.so.6+0x9024)

SUMMARY: AddressSanitizer: heap-buffer-overflow
../libinterp/corefcn/gl-render.cc:3367 in
octave::opengl_renderer::draw_patch(octave::patch::properties const&)
Shadow bytes around the buggy address:
  0x0c5c80018db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5c80018dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5c80018dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5c80018de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5c80018df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5c80018e00: 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa
  0x0c5c80018e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c80018e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c80018e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c80018e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c80018e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3657835==ABORTING


Dmitri.
-- 



    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?65431>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[Octave-bug-tracker] [bug #65431] crash after hgload certain data, (continued)
- [Octave-bug-tracker] [bug #65431] crash after hgload certain data, Liang Tang, 2024/03/08
- [Octave-bug-tracker] [bug #65431] crash after hgload certain data, Liang Tang, 2024/03/08
- [Octave-bug-tracker] [bug #65431] crash after hgload certain data, John W. Eaton, 2024/03/08
- [Octave-bug-tracker] [bug #65431] crash after hgload certain data, Markus Mützel, 2024/03/08
- [Octave-bug-tracker] [bug #65431] crash after hgload certain data, Dmitri A. Sergatskov, 2024/03/08
- [Octave-bug-tracker] [bug #65431] crash after hgload certain data, Markus Mützel, 2024/03/08
- [Octave-bug-tracker] [bug #65431] crash after hgload certain data, Liang Tang, 2024/03/08
- [Octave-bug-tracker] [bug #65431] crash after hgload certain data, Dmitri A. Sergatskov, 2024/03/08
- [Octave-bug-tracker] [bug #65431] crash after hgload certain data, Liang Tang, 2024/03/08
- [Octave-bug-tracker] [bug #65431] crash after hgload certain data, Dmitri A. Sergatskov, 2024/03/08
- [Octave-bug-tracker] [bug #65431] crash after hgload certain data, Dmitri A. Sergatskov <=
- [Octave-bug-tracker] [bug #65431] crash after hgload certain data, Nicholas Jankowski, 2024/03/08
- [Octave-bug-tracker] [bug #65431] crash after hgload certain data, Dmitri A. Sergatskov, 2024/03/08
- [Octave-bug-tracker] [bug #65431] crash after hgload certain data, Nicholas Jankowski, 2024/03/08
- [Octave-bug-tracker] [bug #65431] crash after hgload certain data, Nicholas Jankowski, 2024/03/08
- [Octave-bug-tracker] [bug #65431] crash after hgload certain data, Nicholas Jankowski, 2024/03/08
- [Octave-bug-tracker] [bug #65431] crash after hgload certain data, Nicholas Jankowski, 2024/03/08
- [Octave-bug-tracker] [bug #65431] crash after hgload certain data, Dmitri A. Sergatskov, 2024/03/09
- [Octave-bug-tracker] [bug #65431] crash after hgload certain data, Markus Mützel, 2024/03/09
- [Octave-bug-tracker] [bug #65431] crash after hgload certain data, Liang Tang, 2024/03/09
- [Octave-bug-tracker] [bug #65431] crash after hgload certain data, Markus Mützel, 2024/03/09

Prev by Date: [Octave-bug-tracker] [bug #65431] crash after hgload certain data
Next by Date: [Octave-bug-tracker] [bug #65424] svds(A) returns singular values in reversed order for complex A
Previous by thread: [Octave-bug-tracker] [bug #65431] crash after hgload certain data
Next by thread: [Octave-bug-tracker] [bug #65431] crash after hgload certain data
Index(es):
- Date
- Thread