#13731: Fix libsingular memory management
------------------------------------------------------------------+---------
       Reporter:  nbruin                                          |         
Owner:  rlm     
           Type:  defect                                          |        
Status:  new     
       Priority:  major                                           |     
Milestone:  sage-5.6
      Component:  memleak                                         |    
Resolution:          
       Keywords:                                                  |   Work 
issues:          
Report Upstream:  Reported upstream. Developers acknowledge bug.  |     
Reviewers:          
        Authors:                                                  |     Merged 
in:          
   Dependencies:                                                  |      
Stopgaps:          
------------------------------------------------------------------+---------

Comment (by nbruin):

 Replying to [comment:2 nbruin]:
 > {{{
 > #0  0x00007fffce9fb3f2 in
 List<CanonicalForm>::isEmpty(this=0x7fffa515b000) at
 ./templates/ftmpl_list.cc:256
 > #1  0x00007fffce96a350 in multiFactorize (F=..., v=...) at
 facFactorize.cc:710
 > }}}
 I think this one is rather straightforward too (and a genuine out-of-
 bounds reference!):
 facFactorize.cc:688

 {{{
     CFList* bufAeval2= new CFList [A.level() - 2];
 ...
     evaluationWRTDifferentSecondVars (bufAeval2, bufEvaluation, A);

     for (int j= 0; j < A.level() - 1; j++)
     {
       if (!bufAeval2[j].isEmpty())
         counter++;
     }
 }}}
 so this queries all elements `bufAeval2[0],...,bufAeval2[A.level()-2]`.
 However,
 if this allocates an array as it does in C, then the `new` command above
 only
 creates
 `bufAeval2[0],...,bufAeval2[A.level()-3]` (i.e., A.level()-2 of them, but
 0-based.

 The initialization by `evaluationWRTDifferentSecondVars` seems to
 corroborate
 that:

 facFqFactorize.cc:1778
 {{{
 void
 evaluationWRTDifferentSecondVars (CFList*& Aeval, const CFList&
 evaluation,
                                   const CanonicalForm& A)
 {
   CanonicalForm tmp;
   CFList tmp2;
   CFListIterator iter;
   for (int i= A.level(); i > 2; i--)
   {
 ...
     if (preserveDegree)
       Aeval [i - 3]= tmp2;
     else
       Aeval [i - 3]= CFList();
   }
 }
 }}}
 So only `Aeval[0], ..., Aeval[A.level()-3]` get initialized.

 Thus, the reference to `!bufAeval2[j].isEmpty()` with `j = A.level() - 2`
 indeed seems out of bounds to me. The abundance of bound errors in
 Singular is really making me feel uncomfortable. The Singular team should
 really take their memory audits a little more seriously. They're playing
 russian roulette with mathematical correctness.

-- 
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/13731#comment:43>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica, 
and MATLAB

-- 
You received this message because you are subscribed to the Google Groups 
"sage-trac" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/sage-trac?hl=en.

Reply via email to