bill at insightful.com
2007-Feb-08 19:48 UTC
[Rd] supsmu(periodic=TRUE) can crash R by reading before start of array (PR#9502)
supsmu(periodic=TRUE) can crash R by reading before start of array.
To reproduce:
set.seed(1)
xx <- runif(29000)
yy <- rnorm(29000)
span <- 0.49
i <- 1
while(i < 200){
cat(i,"\n")
int <- supsmu(xx,yy,periodic=T,span=span)
i <-i+1
}
results in:
1
2
3
4
5
6
7
8
9
Program received signal SIGSEGV, Segmentation fault.
smooth_ (n=0xffffeffe, x=0xb6a7f020, y=0xb6993020, w=0xb6921020,
span=0xffffeffe, iper=0xffffeffe, vsmlsq=0xffffeffe, smo=0xb68e8020,
acvr=0x9c7e7c8) at ppr.f:1087
1087 xti=x(j)
Current language: auto; currently fortran
(gdb) list
1082 if (ibw.lt.2) ibw=2
1083 it=2*ibw+1
1084 do 20 i=1,it
1085 j=i
1086 if (jper.eq.2) j=i-ibw-1
-> 1087 xti=x(j)
1088 if (j.ge.1) go to 10
1089 j=n+j
1090 xti=x(j)-1d0
1091 10 wt=w(j)
(gdb) print jper
$1 = 2
(gdb) print j
$2 = -4099
If you use 'R -d valgrind' it stops in the same spot
on the first call to supsmu:
1
==8058== Invalid read of size 8
==8058== at 0x56A65DA: smooth_ (ppr.f:1087)
==8058== by 0x56A64D5: supsmu_ (ppr.f:1028)
==8058== by 0x80B2488: do_dotCode (dotcode.c:1753)
==8058== by 0x80C9405: Rf_eval (eval.c:441)
...
==8058== Address 0x5EFDA80 is 0 bytes after a block of size 232,024
alloc'd
==8058== at 0x401A6EE: malloc (vg_replace_malloc.c:149)
==8058== by 0x80EFBC9: Rf_allocVector (memory.c:1952)
==8058== by 0x807B6CB: do_makevector (builtin.c:558)
==8058== by 0x80F9946: do_internal (names.c:1091)
==8058== by 0x80C9478: Rf_eval (eval.c:424)
Note that it computes x(j) and then, if j is out of
bounds, resets j to be at the end of the x array
and recomputes x(j). It should not compute x(j) if
j is out of bounds.
A fix that keeps this looking like Fortran IV is
to put 'if (j.ge.1)' at the start of line 1087
(in R_HOME/src/library/stats/src/ppr.f). This stops
the crash and makes valgrind happy.
(Splus has the identical problem and fix.)
*** ppr.f~ 2007-02-08 11:31:50.000000000 -0800
--- ppr.f 2007-02-08 11:32:07.000000000 -0800
***************
*** 1084,1090 ****
do 20 i=1,it
j=i
if (jper.eq.2) j=i-ibw-1
! xti=x(j)
if (j.ge.1) go to 10
j=n+j
xti=x(j)-1d0
--- 1084,1090 ----
do 20 i=1,it
j=i
if (jper.eq.2) j=i-ibw-1
! if (j.ge.1) xti=x(j)
if (j.ge.1) go to 10
j=n+j
xti=x(j)-1d0
--please do not edit the information below--
Version:
platform = i686-pc-linux-gnu
arch = i686
os = linux-gnu
system = i686, linux-gnu
status = Under development (unstable)
major = 2
minor = 5.0
year = 2007
month = 02
day = 05
svn rev = 40659
language = R
version.string = R version 2.5.0 Under development (unstable) (2007-02-05
r40659)
Locale:
LC_CTYPE=en_US.UTF-8;LC_NUMERIC=C;LC_TIME=en_US.UTF-8;LC_COLLATE=en_US.UTF-8;LC_MONETARY=en_US.UTF-8;LC_MESSAGES=en_US.UTF-8;LC_PAPER=en_US.UTF-8;LC_NAME=C;LC_ADDRESS=C;LC_TELEPHONE=C;LC_MEASUREMENT=en_US.UTF-8;LC_IDENTIFICATION=C
Search Path:
.GlobalEnv, package:stats, package:graphics, package:grDevices, package:utils,
package:datasets, package:methods, Autoloads, package:base
----------------------------------------------------------------------------
Bill Dunlap
Insightful Corporation
bill at insightful dot com
360-428-8146
"All statements in this message represent the opinions of the author and
do
not necessarily reflect Insightful Corporation policy or position."
Prof Brian Ripley
2007-Feb-09 08:09 UTC
[Rd] supsmu(periodic=TRUE) can crash R by reading before start of array (PR#9502)
Thank you for the comprehensive report and fix. Now incorporated in R-devel. Brian On Thu, 8 Feb 2007, bill at insightful.com wrote:> supsmu(periodic=TRUE) can crash R by reading before start of array. > > To reproduce: > set.seed(1) > xx <- runif(29000) > yy <- rnorm(29000) > span <- 0.49 > i <- 1 > while(i < 200){ > cat(i,"\n") > int <- supsmu(xx,yy,periodic=T,span=span) > i <-i+1 > } > > results in: > 1 > 2 > 3 > 4 > 5 > 6 > 7 > 8 > 9 > > Program received signal SIGSEGV, Segmentation fault. > smooth_ (n=0xffffeffe, x=0xb6a7f020, y=0xb6993020, w=0xb6921020, > span=0xffffeffe, iper=0xffffeffe, vsmlsq=0xffffeffe, smo=0xb68e8020, > acvr=0x9c7e7c8) at ppr.f:1087 > 1087 xti=x(j) > Current language: auto; currently fortran > (gdb) list > 1082 if (ibw.lt.2) ibw=2 > 1083 it=2*ibw+1 > 1084 do 20 i=1,it > 1085 j=i > 1086 if (jper.eq.2) j=i-ibw-1 > -> 1087 xti=x(j) > 1088 if (j.ge.1) go to 10 > 1089 j=n+j > 1090 xti=x(j)-1d0 > 1091 10 wt=w(j) > (gdb) print jper > $1 = 2 > (gdb) print j > $2 = -4099 > > If you use 'R -d valgrind' it stops in the same spot > on the first call to supsmu: > 1 > ==8058== Invalid read of size 8 > ==8058== at 0x56A65DA: smooth_ (ppr.f:1087) > ==8058== by 0x56A64D5: supsmu_ (ppr.f:1028) > ==8058== by 0x80B2488: do_dotCode (dotcode.c:1753) > ==8058== by 0x80C9405: Rf_eval (eval.c:441) > ... > ==8058== Address 0x5EFDA80 is 0 bytes after a block of size 232,024 alloc'd > ==8058== at 0x401A6EE: malloc (vg_replace_malloc.c:149) > ==8058== by 0x80EFBC9: Rf_allocVector (memory.c:1952) > ==8058== by 0x807B6CB: do_makevector (builtin.c:558) > ==8058== by 0x80F9946: do_internal (names.c:1091) > ==8058== by 0x80C9478: Rf_eval (eval.c:424) > > Note that it computes x(j) and then, if j is out of > bounds, resets j to be at the end of the x array > and recomputes x(j). It should not compute x(j) if > j is out of bounds. > > A fix that keeps this looking like Fortran IV is > to put 'if (j.ge.1)' at the start of line 1087 > (in R_HOME/src/library/stats/src/ppr.f). This stops > the crash and makes valgrind happy. > > (Splus has the identical problem and fix.) > > *** ppr.f~ 2007-02-08 11:31:50.000000000 -0800 > --- ppr.f 2007-02-08 11:32:07.000000000 -0800 > *************** > *** 1084,1090 **** > do 20 i=1,it > j=i > if (jper.eq.2) j=i-ibw-1 > ! xti=x(j) > if (j.ge.1) go to 10 > j=n+j > xti=x(j)-1d0 > --- 1084,1090 ---- > do 20 i=1,it > j=i > if (jper.eq.2) j=i-ibw-1 > ! if (j.ge.1) xti=x(j) > if (j.ge.1) go to 10 > j=n+j > xti=x(j)-1d0 > > --please do not edit the information below-- > > Version: > platform = i686-pc-linux-gnu > arch = i686 > os = linux-gnu > system = i686, linux-gnu > status = Under development (unstable) > major = 2 > minor = 5.0 > year = 2007 > month = 02 > day = 05 > svn rev = 40659 > language = R > version.string = R version 2.5.0 Under development (unstable) (2007-02-05 r40659) > > Locale: > LC_CTYPE=en_US.UTF-8;LC_NUMERIC=C;LC_TIME=en_US.UTF-8;LC_COLLATE=en_US.UTF-8;LC_MONETARY=en_US.UTF-8;LC_MESSAGES=en_US.UTF-8;LC_PAPER=en_US.UTF-8;LC_NAME=C;LC_ADDRESS=C;LC_TELEPHONE=C;LC_MEASUREMENT=en_US.UTF-8;LC_IDENTIFICATION=C > > Search Path: > .GlobalEnv, package:stats, package:graphics, package:grDevices, package:utils, package:datasets, package:methods, Autoloads, package:base > > ---------------------------------------------------------------------------- > Bill Dunlap > Insightful Corporation > bill at insightful dot com > 360-428-8146 > > "All statements in this message represent the opinions of the author and do > not necessarily reflect Insightful Corporation policy or position." > > ______________________________________________ > R-devel at r-project.org mailing list > https://stat.ethz.ch/mailman/listinfo/r-devel >-- Brian D. Ripley, ripley at stats.ox.ac.uk Professor of Applied Statistics, http://www.stats.ox.ac.uk/~ripley/ University of Oxford, Tel: +44 1865 272861 (self) 1 South Parks Road, +44 1865 272866 (PA) Oxford OX1 3TG, UK Fax: +44 1865 272595