#13731: Fix libsingular memory management
--------------------------------------------------------------+-------------
Reporter: nbruin | Owner:
rlm
Type: defect | Status:
new
Priority: major | Milestone:
sage-5.6
Component: memleak | Resolution:
Keywords: | Work issues:
Report Upstream: Fixed upstream, in a later stable release. | Reviewers:
Authors: Nils Bruin, Simon King | Merged in:
Dependencies: | Stopgaps:
--------------------------------------------------------------+-------------
Comment (by nbruin):
> {{{
> sage: P.<x,y> = QQ[]
> sage: x*y
> x*y
> }}}
I put this in a file to run as a doctest using valgrind and gdb. The crash
happens in python's gcmodule, so the memory corruption is severe.
{{{
==12827== Invalid write of size 8
==12827== at 0x26A58673: pp_Mult_mm__FieldQ_LengthThree_OrdGeneral
(pp_Mult_mm__T.cc:48)
==12827== by 0x27748935:
__pyx_f_4sage_4libs_8singular_10polynomial_singular_polynomial_mul(spolyrec**,
spolyrec*, spolyrec*, sip_sring*) (pInline2.h:673)
==12827== by 0x265BCE3F:
__pyx_f_4sage_5rings_10polynomial_28multi_polynomial_libsingular_23MPolynomial_libsingular__mul_(__pyx_obj_4sage_5rings_10polynomial_28multi_polynomial_libsingular_MPolynomial_libsingular*,
__pyx_obj_4sage_9structure_7element_RingElement*, int)
(multi_polynomial_libsingular.cpp:16475)
==12827== by 0x154E9EA8:
__pyx_pw_4sage_9structure_7element_11RingElement_11__mul__
(element.c:14091)
...
==12827== Address 0x101597c0 is 0 bytes after a block of size 16 alloc'd
==12827== at 0x4A0762F: malloc (vg_replace_malloc.c:270)
==12827== by 0x26A5865E: pp_Mult_mm__FieldQ_LengthThree_OrdGeneral
(omalloc.h:85)
==12827== by 0x27748935:
__pyx_f_4sage_4libs_8singular_10polynomial_singular_polynomial_mul(spolyrec**,
spolyrec*, spolyrec*, sip_sring*) (pInline2.h:673)
==12827== by 0x265BCE3F:
__pyx_f_4sage_5rings_10polynomial_28multi_polynomial_libsingular_23MPolynomial_libsingular__mul_(__pyx_obj_4sage_5rings_10polynomial_28multi_polynomial_libsingular_MPolynomial_libsingular*,
__pyx_obj_4sage_9structure_7element_RingElement*, int)
(multi_polynomial_libsingular.cpp:16475)
==12827== by 0x154E9EA8:
__pyx_pw_4sage_9structure_7element_11RingElement_11__mul__
(element.c:14091)
==12827== by 0x4C5435E: binary_op1 (abstract.c:945)
==12827== Invalid write of size 8
==12827== at 0x26A5867F: pp_Mult_mm__FieldQ_LengthThree_OrdGeneral
(pp_Mult_mm__T.cc:49)
==12827== by 0x27748935:
__pyx_f_4sage_4libs_8singular_10polynomial_singular_polynomial_mul(spolyrec**,
spolyrec*, spolyrec*, sip_sring*) (pInline2.h:673)
==12827== by 0x265BCE3F:
__pyx_f_4sage_5rings_10polynomial_28multi_polynomial_libsingular_23MPolynomial_libsingular__mul_(__pyx_obj_4sage_5rings_10polynomial_28multi_polynomial_libsingular_MPolynomial_libsingular*,
__pyx_obj_4sage_9structure_7element_RingElement*, int)
(multi_polynomial_libsingular.cpp:16475)
==12827== by 0x154E9EA8:
__pyx_pw_4sage_9structure_7element_11RingElement_11__mul__
(element.c:14091)
==12827== by 0x4C5435E: binary_op1 (abstract.c:945)
...
==12827== Address 0x101597c8 is 8 bytes after a block of size 16 alloc'd
==12827== at 0x4A0762F: malloc (vg_replace_malloc.c:270)
==12827== by 0x26A5865E: pp_Mult_mm__FieldQ_LengthThree_OrdGeneral
(omalloc.h:85)
==12827== by 0x27748935:
__pyx_f_4sage_4libs_8singular_10polynomial_singular_polynomial_mul(spolyrec**,
spolyrec*, spolyrec*, sip_sring*) (pInline2.h:673)
==12827== by 0x265BCE3F:
__pyx_f_4sage_5rings_10polynomial_28multi_polynomial_libsingular_23MPolynomial_libsingular__mul_(__pyx_obj_4sage_5rings_10polynomial_28multi_polynomial_libsingular_MPolynomial_libsingular*,
__pyx_obj_4sage_9structure_7element_RingElement*, int)
(multi_polynomial_libsingular.cpp:16475)
==12827== by 0x154E9EA8:
__pyx_pw_4sage_9structure_7element_11RingElement_11__mul__
(element.c:14091)
==12827== by 0x4C5435E: binary_op1 (abstract.c:945)
}}}
Similar message 16 bytes past and one invalid write `Address 0x101597d8 is
not stack'd, malloc'd or (recently) free'd`
Also:
{{{
==12827== Invalid read of size 8
==12827== at 0x269A4A56: nlNormalize(snumber*&) (longrat.cc:1122)
==12827== by 0x269C7E50: p_Normalize(spolyrec*, sip_sring*)
(polys.cc:647)
==12827== by 0x265BD052:
__pyx_f_4sage_5rings_10polynomial_28multi_polynomial_libsingular_23MPolynomial_libsingular__mul_(__pyx_obj_4sage_5rings_10polynomial_28multi_polynomial_libsingular_MPolynomial_libsingular*,
__pyx_obj_4sage_9structure_7element_RingElement*, int)
(multi_polynomial_libsingular.cpp:31792)
==12827== by 0x154E9EA8:
__pyx_pw_4sage_9structure_7element_11RingElement_11__mul__
(element.c:14091)
==12827== by 0x4C5435E: binary_op1 (abstract.c:945)
...
==12827== Address 0x101597c0 is 0 bytes after a block of size 16 alloc'd
==12827== at 0x4A0762F: malloc (vg_replace_malloc.c:270)
==12827== by 0x26A5865E: pp_Mult_mm__FieldQ_LengthThree_OrdGeneral
(omalloc.h:85)
==12827== by 0x27748935:
__pyx_f_4sage_4libs_8singular_10polynomial_singular_polynomial_mul(spolyrec**,
spolyrec*, spolyrec*, sip_sring*) (pInline2.h:673)
==12827== by 0x265BCE3F:
__pyx_f_4sage_5rings_10polynomial_28multi_polynomial_libsingular_23MPolynomial_libsingular__mul_(__pyx_obj_4sage_5rings_10polynomial_28multi_polynomial_libsingular_MPolynomial_libsingular*,
__pyx_obj_4sage_9structure_7element_RingElement*, int)
(multi_polynomial_libsingular.cpp:16475)
==12827== by 0x154E9EA8:
__pyx_pw_4sage_9structure_7element_11RingElement_11__mul__
(element.c:14091)
==12827== by 0x4C5435E: binary_op1 (abstract.c:945)
==12827== Invalid read of size 8
==12827== at 0x269CBC3D: p_String0(spolyrec*, sip_sring*, sip_sring*)
(polys0.cc:90)
==12827== by 0x27748087:
__pyx_f_4sage_4libs_8singular_10polynomial_singular_polynomial_str(spolyrec*,
sip_sring*) (polynomial.cpp:4266)
==12827== by 0x2658F9B1:
__pyx_pw_4sage_5rings_10polynomial_28multi_polynomial_libsingular_23MPolynomial_libsingular_33_repr_(_object*,
_object*) (multi_polynomial_libsingular.cpp:17242)
==12827== by 0x4C59402: PyObject_Call (abstract.c:2529)
==12827== by 0x10CD2408:
__pyx_pw_4sage_9structure_11sage_object_10SageObject_5__repr__
(sage_object.c:1790)
...
==12827== Address 0x101597d8 is not stack'd, malloc'd or (recently)
free'd
==12827== Invalid read of size 8
==12827== at 0x269CB926: writemon(spolyrec*, int, sip_sring*)
(polys0.cc:25)
==12827== by 0x269CBC82: p_String0(spolyrec*, sip_sring*, sip_sring*)
(polys0.cc:92)
==12827== by 0x27748087:
__pyx_f_4sage_4libs_8singular_10polynomial_singular_polynomial_str(spolyrec*,
sip_sring*) (polynomial.cpp:4266)
==12827== by 0x2658F9B1:
__pyx_pw_4sage_5rings_10polynomial_28multi_polynomial_libsingular_23MPolynomial_libsingular_33_repr_(_object*,
_object*) (multi_polynomial_libsingular.cpp:17242)
...
==12827== Address 0x101597c0 is 0 bytes after a block of size 16 alloc'd
==12827== at 0x4A0762F: malloc (vg_replace_malloc.c:270)
==12827== by 0x26A5865E: pp_Mult_mm__FieldQ_LengthThree_OrdGeneral
(omalloc.h:85)
==12827== by 0x27748935:
__pyx_f_4sage_4libs_8singular_10polynomial_singular_polynomial_mul(spolyrec**,
spolyrec*, spolyrec*, sip_sring*) (pInline2.h:673)
==12827== by 0x265BCE3F:
__pyx_f_4sage_5rings_10polynomial_28multi_polynomial_libsingular_23MPolynomial_libsingular__mul_(__pyx_obj_4sage_5rings_10polynomial_28multi_polynomial_libsingular_MPolynomial_libsingular*,
__pyx_obj_4sage_9structure_7element_RingElement*, int)
(multi_polynomial_libsingular.cpp:16475)
==12827== by 0x154E9EA8:
__pyx_pw_4sage_9structure_7element_11RingElement_11__mul__
(element.c:14091)
}}}
etc. I tracked down the other bugs from similar information, so good luck!
My guess is that this PolyBin is a little more required than assumed.
This is really just running the test and copy/paste from valgrind! It's
much faster if you can do this yourself.
}}}
--
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/13731#comment:91>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica,
and MATLAB
--
You received this message because you are subscribed to the Google Groups
"sage-trac" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/sage-trac?hl=en.
