Out of bounds write in sparse broadcast #31758

fredrikekre · 2019-04-18T12:03:11Z

Reduced from https://discourse.julialang.org/t/signal-11-segmentation-fault-11-with-differentialequations-jl/23264/:

y = sparsevec([2,7], [1., 2.], 10)
x1 = sparsevec(fill(1.0, 10))
x2 = sparsevec([2,7], [1., 2.], 10)
x3 = sparsevec(fill(1.0, 10))
f(x, y, z) = x == y == z == 0 ? 0.0 : NaN
bc = Broadcast.broadcasted(f, x1, x2, x3)

Broadcast.materialize!(y, bc)

where the last line causes a segfault (BoundsError with --check-bounds=yes). The problem is here:

julia/stdlib/SparseArrays/src/higherorderfns.jl

Line 390 in c83e312

    
           Ck > spaceC && (spaceC = expandstorage!(C, Ck + min(length(C), _sumnnzs(As...)) - (sum(ks) - N)))

where we fail to expand the storage since the calculation for needed storage is wrong, and returns 1 in this particular case. From Debugger:

1|debug> n
In _map_zeropres!(f, C, As) at /julia/stdlib/v1.0/SparseArrays/src/higherorderfns.jl:372
 382  while activerow < rowsentinel
 383      vals, ks, rows = _fusedupdate_all(rowsentinel, activerow, rows, ks, stopks, As)
 384      Cx = f(vals...)
 385      if !_iszero(Cx)
>386          Ck > spaceC && (spaceC = expandstorage!(C, Ck + min(length(C), _sumnnzs(As...)) - (sum(ks) - N)))
 387          storedinds(C)[Ck] = activerow
 388          storedvals(C)[Ck] = Cx
 389          Ck += 1
 390      end

1|debug> w
1] Ck: 7
2] spaceC: 6
3] storedinds(C): [1, 2, 3, 4, 5, 6]
4] (Ck + min(length(C), _sumnnzs(As...))) - (sum(ks) - N): 1

1|debug> n
In _map_zeropres!(f, C, As) at /julia/stdlib/v1.0/SparseArrays/src/higherorderfns.jl:372
 383  vals, ks, rows = _fusedupdate_all(rowsentinel, activerow, rows, ks, stopks, As)
 384  Cx = f(vals...)
 385  if !_iszero(Cx)
 386      Ck > spaceC && (spaceC = expandstorage!(C, Ck + min(length(C), _sumnnzs(As...)) - (sum(ks) - N)))
>387      storedinds(C)[Ck] = activerow
 388      storedvals(C)[Ck] = Cx
 389      Ck += 1
 390  end
 391  activerow = min(rows...)

1|debug> w
1] Ck: 7
2] spaceC: 1                # <-- What??
3] storedinds(C): [1, 2, 3, 4, 5, 6]
4] (Ck + min(length(C), _sumnnzs(As...))) - (sum(ks) - N): 1

The text was updated successfully, but these errors were encountered:

(cherry picked from commit c0c6f96)

fredrikekre added bug Indicates an unexpected problem or unintended behavior sparse Sparse arrays broadcast Applying a function over a collection labels Apr 18, 2019

fredrikekre added a commit that referenced this issue Apr 18, 2019

fix #31758: out of bounds write in sparse broadcast

d2d5dc3

fredrikekre closed this as completed in c0c6f96 Apr 19, 2019

This was referenced Apr 19, 2019

Backports for 1.0.4 #30954

Merged

Backports for 1.2-RC1 #31727

Closed

KristofferC pushed a commit that referenced this issue Apr 20, 2019

fix #31758: out of bounds write in sparse broadcast (#31763)

b0187e8

(cherry picked from commit c0c6f96)

KristofferC pushed a commit that referenced this issue Apr 20, 2019

fix #31758: out of bounds write in sparse broadcast (#31763)

031c35c

(cherry picked from commit c0c6f96)

KristofferC pushed a commit that referenced this issue Apr 20, 2019

fix #31758: out of bounds write in sparse broadcast (#31763)

11b8f59

(cherry picked from commit c0c6f96)

KristofferC pushed a commit that referenced this issue Feb 20, 2020

fix #31758: out of bounds write in sparse broadcast (#31763)

4f4384a

(cherry picked from commit c0c6f96)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Out of bounds write in sparse broadcast #31758

Out of bounds write in sparse broadcast #31758

fredrikekre commented Apr 18, 2019

Out of bounds write in sparse broadcast #31758

Out of bounds write in sparse broadcast #31758

Comments

fredrikekre commented Apr 18, 2019