#13731: Fix libsingular memory management
------------------------------------------------------------------+---------
Reporter: nbruin |
Owner: rlm
Type: defect |
Status: new
Priority: major |
Milestone: sage-5.6
Component: memleak |
Resolution:
Keywords: | Work
issues:
Report Upstream: Reported upstream. Developers acknowledge bug. |
Reviewers:
Authors: | Merged
in:
Dependencies: |
Stopgaps:
------------------------------------------------------------------+---------
Comment (by nbruin):
Replying to [comment:2 nbruin]:
> {{{
> #0 0x00007fffce9fb3f2 in
List<CanonicalForm>::isEmpty(this=0x7fffa515b000) at
./templates/ftmpl_list.cc:256
> #1 0x00007fffce96a350 in multiFactorize (F=..., v=...) at
facFactorize.cc:710
> }}}
I think this one is rather straightforward too (and a genuine out-of-
bounds reference!):
facFactorize.cc:688
{{{
CFList* bufAeval2= new CFList [A.level() - 2];
...
evaluationWRTDifferentSecondVars (bufAeval2, bufEvaluation, A);
for (int j= 0; j < A.level() - 1; j++)
{
if (!bufAeval2[j].isEmpty())
counter++;
}
}}}
so this queries all elements `bufAeval2[0],...,bufAeval2[A.level()-2]`.
However,
if this allocates an array as it does in C, then the `new` command above
only
creates
`bufAeval2[0],...,bufAeval2[A.level()-3]` (i.e., A.level()-2 of them, but
0-based.
The initialization by `evaluationWRTDifferentSecondVars` seems to
corroborate
that:
facFqFactorize.cc:1778
{{{
void
evaluationWRTDifferentSecondVars (CFList*& Aeval, const CFList&
evaluation,
const CanonicalForm& A)
{
CanonicalForm tmp;
CFList tmp2;
CFListIterator iter;
for (int i= A.level(); i > 2; i--)
{
...
if (preserveDegree)
Aeval [i - 3]= tmp2;
else
Aeval [i - 3]= CFList();
}
}
}}}
So only `Aeval[0], ..., Aeval[A.level()-3]` get initialized.
Thus, the reference to `!bufAeval2[j].isEmpty()` with `j = A.level() - 2`
indeed seems out of bounds to me. The abundance of bound errors in
Singular is really making me feel uncomfortable. The Singular team should
really take their memory audits a little more seriously. They're playing
russian roulette with mathematical correctness.
--
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/13731#comment:43>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica,
and MATLAB
--
You received this message because you are subscribed to the Google Groups
"sage-trac" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/sage-trac?hl=en.
