[Rd] supsmu(periodic=TRUE) can crash R by reading before start of array (PR#9502)
bill at insightful.com
bill at insightful.com
Thu Feb 8 20:48:39 CET 2007
supsmu(periodic=TRUE) can crash R by reading before start of array.
To reproduce:
set.seed(1)
xx <- runif(29000)
yy <- rnorm(29000)
span <- 0.49
i <- 1
while(i < 200){
cat(i,"\n")
int <- supsmu(xx,yy,periodic=T,span=span)
i <-i+1
}
results in:
1
2
3
4
5
6
7
8
9
Program received signal SIGSEGV, Segmentation fault.
smooth_ (n=0xffffeffe, x=0xb6a7f020, y=0xb6993020, w=0xb6921020,
span=0xffffeffe, iper=0xffffeffe, vsmlsq=0xffffeffe, smo=0xb68e8020,
acvr=0x9c7e7c8) at ppr.f:1087
1087 xti=x(j)
Current language: auto; currently fortran
(gdb) list
1082 if (ibw.lt.2) ibw=2
1083 it=2*ibw+1
1084 do 20 i=1,it
1085 j=i
1086 if (jper.eq.2) j=i-ibw-1
-> 1087 xti=x(j)
1088 if (j.ge.1) go to 10
1089 j=n+j
1090 xti=x(j)-1d0
1091 10 wt=w(j)
(gdb) print jper
$1 = 2
(gdb) print j
$2 = -4099
If you use 'R -d valgrind' it stops in the same spot
on the first call to supsmu:
1
==8058== Invalid read of size 8
==8058== at 0x56A65DA: smooth_ (ppr.f:1087)
==8058== by 0x56A64D5: supsmu_ (ppr.f:1028)
==8058== by 0x80B2488: do_dotCode (dotcode.c:1753)
==8058== by 0x80C9405: Rf_eval (eval.c:441)
...
==8058== Address 0x5EFDA80 is 0 bytes after a block of size 232,024 alloc'd
==8058== at 0x401A6EE: malloc (vg_replace_malloc.c:149)
==8058== by 0x80EFBC9: Rf_allocVector (memory.c:1952)
==8058== by 0x807B6CB: do_makevector (builtin.c:558)
==8058== by 0x80F9946: do_internal (names.c:1091)
==8058== by 0x80C9478: Rf_eval (eval.c:424)
Note that it computes x(j) and then, if j is out of
bounds, resets j to be at the end of the x array
and recomputes x(j). It should not compute x(j) if
j is out of bounds.
A fix that keeps this looking like Fortran IV is
to put 'if (j.ge.1)' at the start of line 1087
(in R_HOME/src/library/stats/src/ppr.f). This stops
the crash and makes valgrind happy.
(Splus has the identical problem and fix.)
*** ppr.f~ 2007-02-08 11:31:50.000000000 -0800
--- ppr.f 2007-02-08 11:32:07.000000000 -0800
***************
*** 1084,1090 ****
do 20 i=1,it
j=i
if (jper.eq.2) j=i-ibw-1
! xti=x(j)
if (j.ge.1) go to 10
j=n+j
xti=x(j)-1d0
--- 1084,1090 ----
do 20 i=1,it
j=i
if (jper.eq.2) j=i-ibw-1
! if (j.ge.1) xti=x(j)
if (j.ge.1) go to 10
j=n+j
xti=x(j)-1d0
--please do not edit the information below--
Version:
platform = i686-pc-linux-gnu
arch = i686
os = linux-gnu
system = i686, linux-gnu
status = Under development (unstable)
major = 2
minor = 5.0
year = 2007
month = 02
day = 05
svn rev = 40659
language = R
version.string = R version 2.5.0 Under development (unstable) (2007-02-05 r40659)
Locale:
LC_CTYPE=en_US.UTF-8;LC_NUMERIC=C;LC_TIME=en_US.UTF-8;LC_COLLATE=en_US.UTF-8;LC_MONETARY=en_US.UTF-8;LC_MESSAGES=en_US.UTF-8;LC_PAPER=en_US.UTF-8;LC_NAME=C;LC_ADDRESS=C;LC_TELEPHONE=C;LC_MEASUREMENT=en_US.UTF-8;LC_IDENTIFICATION=C
Search Path:
.GlobalEnv, package:stats, package:graphics, package:grDevices, package:utils, package:datasets, package:methods, Autoloads, package:base
----------------------------------------------------------------------------
Bill Dunlap
Insightful Corporation
bill at insightful dot com
360-428-8146
"All statements in this message represent the opinions of the author and do
not necessarily reflect Insightful Corporation policy or position."
More information about the R-devel
mailing list