Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bounding box size should be cell size^2 in init to avoid heap corruption in fhog. #10

Open
isgursoy opened this issue Apr 6, 2017 · 10 comments
Open

Bounding box size should be cell size^2 in init to avoid heap corruption in fhog. #10

isgursoy opened this issue Apr 6, 2017 · 10 comments

Comments

@isgursoy
Copy link

isgursoy commented Apr 6, 2017
edited
Loading

gradient.cpp
void fhog( float *M, float *O, float *H, int h, int w, int binSize,int nOrients, int softBin, float clip )
@isgursoy isgursoy changed the title Size should be multiple of 16 Size should be multiple of 16 in init to avoid heap corruption in fhog. Apr 6, 2017
@isgursoy isgursoy mentioned this issue Apr 6, 2017
Closed
@isgursoy isgursoy changed the title Size should be multiple of 16 in init to avoid heap corruption in fhog. Bounding box size should be cell size^2 in init to avoid heap corruption in fhog. Apr 6, 2017
@vojirt
Copy link
Owner

vojirt commented Apr 10, 2017

Hi,
thanks, I will look into it.

@isgursoy
Copy link
Author

isgursoy commented Apr 10, 2017
edited
Loading

Here it is;
init: img size 72 180
init: win size. 20 20
init: min max scales factors: 1 3.76887
init: img size 72 120
init: win size. 20 20
init: min max scales factors: 1 3.76887
init: img size 72 72
init: win size. 20 20
init: min max scales factors: 1 3.76887
init: img size 72 180
init: win size. 20 200
init: min max scales factors: 1 1.21899
init: img size 72 120
init: win size. 20 20
init: min max scales factors: 1 3.76887
*** Error in `binary name here': double free or corruption (!prev):

/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7ffff312d7e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x7fe0a)[0x7ffff3135e0a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7ffff313998c]
(_Z4fhogPfS_S_iiiiif+0x1c0)[0x7ffff029b883]
(_ZN11KCF_Tracker12get_featuresERN2cv3MatES2_iiiid+0x41b)[0x7ffff02c23c9]
0(+0x90b27)[0x7ffff02c5b27]
(_ZNSt13__future_base13_State_baseV29_M_do_setEPSt8functionIFSt10unique_ptrINS_12_Result_baseENS3_8_DeleterEEvEEPb+0x2e)[0x7ffff02c916a]
(_ZSt16__once_call_implISt12_Bind_simpleIFSt7_Mem_fnIMNSt13__future_base13_State_baseV2EFvPSt8functionIFSt10unique_ptrINS2_12_Result_baseENS6_8_DeleterEEvEEPbEEPS3_SB_SC_EEEvv+0x3e)[0x7ffff02c90fc]
/lib/x86_64-linux-gnu/libpthread.so.0(+0xea99)[0x7ffff2206a99]
(ZSt9call_onceIMNSt13__future_base13_State_baseV2EFvPSt8functionIFSt10unique_ptrINS0_12_Result_baseENS4_8_DeleterEEvEEPbEJPS1_S9_SA_EEvRSt9once_flagOT_DpOT0+0x86)[0x7ffff02c99b0]
(+0x8a4af)[0x7ffff02bf4af]
/usr/lib/x86_64-linux-gnu/libstdc++.so.6(+0xb8c80)[0x7ffff374dc80]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x76ba)[0x7ffff21ff6ba]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x6d)[0x7ffff31bc82d]

0x7ffff029b6c3 41 57 push %r15
0x7ffff029b6c5 <+0x0002> 41 56 push %r14
0x7ffff029b6c7 <+0x0004> 41 55 push %r13
0x7ffff029b6c9 <+0x0006> 41 54 push %r12
0x7ffff029b6cb <+0x0008> 55 push %rbp
0x7ffff029b6cc <+0x0009> 53 push %rbx
0x7ffff029b6cd <+0x000a> 48 83 ec 38 sub $0x38,%rsp
0x7ffff029b6d1 <+0x000e> 48 89 7c 24 10 mov %rdi,0x10(%rsp)
0x7ffff029b6d6 <+0x0013> 48 89 74 24 18 mov %rsi,0x18(%rsp)
0x7ffff029b6db <+0x0018> 48 89 54 24 20 mov %rdx,0x20(%rsp)
0x7ffff029b6e0 <+0x001d> 89 cd mov %ecx,%ebp
0x7ffff029b6e2 <+0x001f> 45 89 cc mov %r9d,%r12d
0x7ffff029b6e5 <+0x0022> 44 8b 7c 24 70 mov 0x70(%rsp),%r15d
0x7ffff029b6ea <+0x0027> f3 0f 11 44 24 0c movss %xmm0,0xc(%rsp)
0x7ffff029b6f0 <+0x002d> 89 c8 mov %ecx,%eax
0x7ffff029b6f2 <+0x002f> 99 cltd
0x7ffff029b6f3 <+0x0030> 41 f7 f9 idiv %r9d
0x7ffff029b6f6 <+0x0033> 89 44 24 04 mov %eax,0x4(%rsp)
0x7ffff029b6fa <+0x0037> 44 89 44 24 2c mov %r8d,0x2c(%rsp)
0x7ffff029b6ff <+0x003c> 44 89 c0 mov %r8d,%eax
0x7ffff029b702 <+0x003f> 99 cltd
0x7ffff029b703 <+0x0040> 41 f7 f9 idiv %r9d
0x7ffff029b706 <+0x0043> 89 44 24 08 mov %eax,0x8(%rsp)
0x7ffff029b70a <+0x0047> 44 8b 6c 24 04 mov 0x4(%rsp),%r13d
0x7ffff029b70f <+0x004c> 44 0f af e8 imul %eax,%r13d
0x7ffff029b713 <+0x0050> 45 89 ee mov %r13d,%r14d
0x7ffff029b716 <+0x0053> 45 0f af f7 imul %r15d,%r14d
0x7ffff029b71a <+0x0057> 43 8d 3c 36 lea (%r14,%r14,1),%edi
0x7ffff029b71e <+0x005b> 48 63 ff movslq %edi,%rdi
0x7ffff029b721 <+0x005e> be 04 00 00 00 mov $0x4,%esi
0x7ffff029b726 <+0x0063> e8 25 1d fc ff callq 0x7ffff025d450 calloc@plt
0x7ffff029b72b <+0x0068> 48 89 c3 mov %rax,%rbx
0x7ffff029b72e <+0x006b> 43 8d 0c 3f lea (%r15,%r15,1),%ecx
0x7ffff029b732 <+0x006f> 89 4c 24 28 mov %ecx,0x28(%rsp)
0x7ffff029b736 <+0x0073> 48 83 ec 08 sub $0x8,%rsp
0x7ffff029b73a <+0x0077> 6a 01 pushq $0x1
0x7ffff029b73c <+0x0079> 8b 84 24 88 00 00 00 mov 0x88(%rsp),%eax
0x7ffff029b743 <+0x0080> 50 push %rax
0x7ffff029b744 <+0x0081> 51 push %rcx
0x7ffff029b745 <+0x0082> 45 89 e1 mov %r12d,%r9d
0x7ffff029b748 <+0x0085> 44 8b 44 24 4c mov 0x4c(%rsp),%r8d
0x7ffff029b74d <+0x008a> 89 e9 mov %ebp,%ecx
0x7ffff029b74f <+0x008c> 48 89 da mov %rbx,%rdx
0x7ffff029b752 <+0x008f> 48 8b 74 24 38 mov 0x38(%rsp),%rsi
0x7ffff029b757 <+0x0094> 48 8b 7c 24 30 mov 0x30(%rsp),%rdi
0x7ffff029b75c <+0x0099> e8 3f 1a fc ff callq 0x7ffff025d1a0 _Z8gradHistPfS_S_iiiiib@plt
0x7ffff029b761 <+0x009e> 4d 63 f6 movslq %r14d,%r14
0x7ffff029b764 <+0x00a1> 48 83 c4 20 add $0x20,%rsp
0x7ffff029b768 <+0x00a5> be 04 00 00 00 mov $0x4,%esi
0x7ffff029b76d <+0x00aa> 4c 89 f7 mov %r14,%rdi
0x7ffff029b770 <+0x00ad> e8 db 1c fc ff callq 0x7ffff025d450 calloc@plt
0x7ffff029b775 <+0x00b2> 48 89 c5 mov %rax,%rbp
0x7ffff029b778 <+0x00b5> 45 85 ff test %r15d,%r15d
0x7ffff029b77b <+0x00b8> 7e 4e jle 0x7ffff029b7cb <_Z4fhogPfS_S_iiiiif+264>
0x7ffff029b77d <+0x00ba> 45 89 e9 mov %r13d,%r9d
0x7ffff029b780 <+0x00bd> 44 89 fe mov %r15d,%esi
0x7ffff029b783 <+0x00c0> 41 0f af f5 imul %r13d,%esi
0x7ffff029b787 <+0x00c4> bf 00 00 00 00 mov $0x0,%edi
0x7ffff029b78c <+0x00c9> 41 b8 00 00 00 00 mov $0x0,%r8d
0x7ffff029b792 <+0x00cf> 45 85 ed test %r13d,%r13d
0x7ffff029b795 <+0x00d2> 7e 28 jle 0x7ffff029b7bf <_Z4fhogPfS_S_iiiiif+252>
0x7ffff029b797 <+0x00d4> 42 8d 0c 0f lea (%rdi,%r9,1),%ecx
0x7ffff029b79b <+0x00d8> 89 f8 mov %edi,%eax
0x7ffff029b79d <+0x00da> 48 63 d0 movslq %eax,%rdx
0x7ffff029b7a0 <+0x00dd> 44 8d 14 30 lea (%rax,%rsi,1),%r10d
0x7ffff029b7a4 <+0x00e1> 4d 63 d2 movslq %r10d,%r10
0x7ffff029b7a7 <+0x00e4> f3 42 0f 10 04 93 movss (%rbx,%r10,4),%xmm0
0x7ffff029b7ad <+0x00ea> f3 0f 58 04 93 addss (%rbx,%rdx,4),%xmm0
0x7ffff029b7b2 <+0x00ef> f3 0f 11 44 95 00 movss %xmm0,0x0(%rbp,%rdx,4)
0x7ffff029b7b8 <+0x00f5> 83 c0 01 add $0x1,%eax
0x7ffff029b7bb <+0x00f8> 39 c8 cmp %ecx,%eax
0x7ffff029b7bd <+0x00fa> 75 de jne 0x7ffff029b79d <_Z4fhogPfS_S_iiiiif+218>
0x7ffff029b7bf <+0x00fc> 41 83 c0 01 add $0x1,%r8d
0x7ffff029b7c3 <+0x0100> 44 01 cf add %r9d,%edi
0x7ffff029b7c6 <+0x0103> 45 39 c7 cmp %r8d,%r15d
0x7ffff029b7c9 <+0x0106> 75 c7 jne 0x7ffff029b792 <_Z4fhogPfS_S_iiiiif+207>
0x7ffff029b7cb <+0x0108> 45 89 e0 mov %r12d,%r8d
0x7ffff029b7ce <+0x010b> 8b 4c 24 08 mov 0x8(%rsp),%ecx
0x7ffff029b7d2 <+0x010f> 44 8b 6c 24 04 mov 0x4(%rsp),%r13d
0x7ffff029b7d7 <+0x0114> 44 89 ea mov %r13d,%edx
0x7ffff029b7da <+0x0117> 44 89 fe mov %r15d,%esi
0x7ffff029b7dd <+0x011a> 48 89 ef mov %rbp,%rdi
0x7ffff029b7e0 <+0x011d> e8 db 1c fc ff callq 0x7ffff025d4c0 _Z13hogNormMatrixPfiiii@plt
0x7ffff029b7e5 <+0x0122> 49 89 c4 mov %rax,%r12
0x7ffff029b7e8 <+0x0125> 48 83 ec 08 sub $0x8,%rsp
0x7ffff029b7ec <+0x0129> 6a 01 pushq $0x1
0x7ffff029b7ee <+0x012b> f3 0f 10 44 24 1c movss 0x1c(%rsp),%xmm0
0x7ffff029b7f4 <+0x0131> 44 8b 4c 24 38 mov 0x38(%rsp),%r9d
0x7ffff029b7f9 <+0x0136> 44 8b 44 24 18 mov 0x18(%rsp),%r8d
0x7ffff029b7fe <+0x013b> 44 89 6c 24 14 mov %r13d,0x14(%rsp)
0x7ffff029b803 <+0x0140> 44 89 e9 mov %r13d,%ecx
0x7ffff029b806 <+0x0143> 48 89 c2 mov %rax,%rdx
0x7ffff029b809 <+0x0146> 48 89 de mov %rbx,%rsi
0x7ffff029b80c <+0x0149> 4c 8b 6c 24 30 mov 0x30(%rsp),%r13
0x7ffff029b811 <+0x014e> 4c 89 ef mov %r13,%rdi
0x7ffff029b814 <+0x0151> e8 17 16 fc ff callq 0x7ffff025ce30 _Z11hogChannelsPfPKfS1_iiifi@plt
0x7ffff029b819 <+0x0156> 4f 8d 6c f5 00 lea 0x0(%r13,%r14,8),%r13
0x7ffff029b81e <+0x015b> c7 04 24 01 00 00 00 movl $0x1,(%rsp)
0x7ffff029b825 <+0x0162> f3 0f 10 44 24 1c movss 0x1c(%rsp),%xmm0
0x7ffff029b82b <+0x0168> 45 89 f9 mov %r15d,%r9d
0x7ffff029b82e <+0x016b> 44 8b 44 24 18 mov 0x18(%rsp),%r8d
0x7ffff029b833 <+0x0170> 44 8b 7c 24 14 mov 0x14(%rsp),%r15d
0x7ffff029b838 <+0x0175> 44 89 f9 mov %r15d,%ecx
0x7ffff029b83b <+0x0178> 4c 89 e2 mov %r12,%rdx
0x7ffff029b83e <+0x017b> 48 89 ee mov %rbp,%rsi
0x7ffff029b841 <+0x017e> 4c 89 ef mov %r13,%rdi
0x7ffff029b844 <+0x0181> e8 e7 15 fc ff callq 0x7ffff025ce30 _Z11hogChannelsPfPKfS1_iiifi@plt
0x7ffff029b849 <+0x0186> 4b 8d 7c b5 00 lea 0x0(%r13,%r14,4),%rdi
0x7ffff029b84e <+0x018b> c7 04 24 02 00 00 00 movl $0x2,(%rsp)
0x7ffff029b855 <+0x0192> f3 0f 10 44 24 1c movss 0x1c(%rsp),%xmm0
0x7ffff029b85b <+0x0198> 44 8b 4c 24 38 mov 0x38(%rsp),%r9d
0x7ffff029b860 <+0x019d> 44 8b 44 24 18 mov 0x18(%rsp),%r8d
0x7ffff029b865 <+0x01a2> 44 89 f9 mov %r15d,%ecx
0x7ffff029b868 <+0x01a5> 4c 89 e2 mov %r12,%rdx
0x7ffff029b86b <+0x01a8> 48 89 de mov %rbx,%rsi
0x7ffff029b86e <+0x01ab> e8 bd 15 fc ff callq 0x7ffff025ce30 _Z11hogChannelsPfPKfS1_iiifi@plt
0x7ffff029b873 <+0x01b0> 4c 89 e7 mov %r12,%rdi
0x7ffff029b876 <+0x01b3> e8 85 03 fc ff callq 0x7ffff025bc00 free@plt
0x7ffff029b87b <+0x01b8> 48 89 df mov %rbx,%rdi
0x7ffff029b87e <+0x01bb> e8 7d 03 fc ff callq 0x7ffff025bc00 free@plt
CRASH--> 0x7ffff029b883 <+0x01c0> 48 89 ef mov %rbp,%rdi
0x7ffff029b886 <+0x01c3> e8 75 03 fc ff callq 0x7ffff025bc00 free@plt
0x7ffff029b88b <+0x01c8> 48 83 c4 48 add $0x48,%rsp
0x7ffff029b88f <+0x01cc> 5b pop %rbx
0x7ffff029b890 <+0x01cd> 5d pop %rbp
0x7ffff029b891 <+0x01ce> 41 5c pop %r12
0x7ffff029b893 <+0x01d0> 41 5d pop %r13
0x7ffff029b895 <+0x01d2> 41 5e pop %r14
0x7ffff029b897 <+0x01d4> 41 5f pop %r15
0x7ffff029b899 <+0x01d6> c3 retq

solution is that;

inline void correctSize(cv::Rect& initialBoundingBox)
    {
        if(initialBoundingBox.width<16)
        {initialBoundingBox.width=16;}
        else
        {
            if(initialBoundingBox.width%16)
            {initialBoundingBox.width=(initialBoundingBox.width/16)*16;}
        }
        
        if(initialBoundingBox.height<16)
        {initialBoundingBox.height=16;}
        else
        {
            if(initialBoundingBox.height%16)
            {initialBoundingBox.height=(initialBoundingBox.height/16)*16;}
        }
    }

@vojirt
Copy link
Owner

vojirt commented Apr 10, 2017

can you please also provide the input data that you used? i.e. image, initial bbox

@isgursoy
Copy link
Author

isgursoy commented Apr 10, 2017
edited
Loading

bb
from here;
city
that is;
citydetails

@vojirt
Copy link
Owner

vojirt commented Apr 10, 2017

it looks weird, the image dimensions and the bbox size does not corresponds with the output you provided
(init: img size 72 180, init: win size. 20 20). Are you sure that the image was loaded correctly to the kcf ?

@isgursoy
Copy link
Author

isgursoy commented Apr 10, 2017
edited
Loading

Thumbnail may not match with console output, there are many objects in that scene. That is one of them and crashing. It is extremely easy to reproduce this, just give random init boxes, any of them except x16 makes your program crash at some point after heap corruption.

@isgursoy
Copy link
Author

also I should comment out:

//    // don't need too large image
//    if (p_pose.w * p_pose.h > 100.*100.) {
//        std::cout << "resizing image by factor of 2" << std::endl;
//        p_resize_image = true;
//        p_pose.scale(0.5);
//        cv::resize(input_gray, input_gray, cv::Size(0,0), 0.5, 0.5, cv::INTER_AREA);
//        cv::resize(input_rgb, input_rgb, cv::Size(0,0), 0.5, 0.5, cv::INTER_AREA);
//    }

@vojirt
Copy link
Owner

vojirt commented Apr 10, 2017

I evaluated the code on many tracking benchmarks and did not see this heap corruptions, so it is not that easy to reproduce. I check several sequences and their bboxes are definitely not multiples of 16.

@isgursoy
Copy link
Author

I will prepare a simple test case for you when I have time. I am running multiple instances, thats all.

@vojirt
Copy link
Owner

vojirt commented Apr 10, 2017

that would be great

@r-kellermann r-kellermann mentioned this issue Jun 5, 2017
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@isgursoy @vojirt