Array over-runs in CRAN packages

Prof Brian Ripley ripley at stats.ox.ac.uk
Wed Apr 4 09:04:21 CEST 2012 

About 15 CRAN packages are now showing segfaults/hangs in both 
R-patched and R-devel, seen at (some columns of) 
http://cran.r-project.org/web/checks/check_summary.html .  These were 
uncovered by a change to reduce the copying of arguments in .C and 
.Fortran calls, and include packages

DoseFinding FracSim adehabitat[TL] dcemriS4 dynaTree lmm monomvn 
timereg

Some of these, e.g. FracSim, dynaTree, lmm, having been showing 
intermittent crashes for a long time (and we have reported the exact 
problem in FracSim before).

We wrote some code (currently enabled in R-devel by compiling 
src/main/dotcode.c with -DALWAYS_COPY, but that will change) to detect 
array over-runs, by adding guard elements and checking if these were 
changed.  This shows

DiceOptim.out:  array over-run in .C("improvedLHS_C") in integer 
argument 7
DoseFinding.out:    array over-run in .C("critfunc") in double 
argument 3
FracSim.out:  array over-run in .C("core_2d") in double argument 7
GLDEX.out:  array over-run in .Fortran("halton") in integer argument 4
KrigInv.out:  array over-run in .C("maximinLHS_C") in integer argument 
7
SAPP.out:  array over-run in .Fortran("momorif") in double argument 15
SpatialExtremes.out:  array over-run in .C("latentgev") in double 
argument 26
adehabitat.out:  array over-run in .C("testindepangl") in double 
argument 1
adehabitatLT.out:  array over-run in .C("testindepangl") in double 
argument 1
cts.out:  array over-run in .Fortran("setupdate") in double argument 1
dcemriS4.out:  array over-run in .C("dce_bayes_run_single") in double 
argument 11
dynaTree.out:  array over-run in .C("dynaTree_R") in integer argument 
3
fOptions.out:  array over-run in .Fortran("halton") in integer 
argument 4
ftnonpar.out:  array over-run in .C("mintvmon") in integer argument 3
lhs.out:  array over-run in .C("improvedLHS_C") in integer argument 7
lmm.out:  array over-run in .Fortran("fastmcmc") in integer argument 
48
medAdherence.out:  array over-run in .C("csa") in integer argument 5
ncomplete.out:  array over-run in .Fortran("ncompl") in integer 
argument 9
negenes.out:  array over-run in .C("R_negenes") in integer argument 12
noverlap.out:  array over-run in .Fortran("novrlp") in integer 
argument 9
randtoolbox.out:  array over-run in .Fortran("halton") in integer 
argument 4
rrcov.out:  array over-run in .Fortran("fsada") in integer argument 14
timereg.out:  array over-run in .C("score") in double argument 29

As this is experimental code I am not yet 100% sure that it is always 
correct, but I have confirmed enough examples to have some confidence 
in it.  (It is also possible the compiled code is not in your package: 
Mr lhs please note this for DiceOptim and KrigInv: however it does 
seem that there are 3 copies of the incorrect Halton code.)

Because of the way allocations work in R (rounding up to a multiple of 
8 bytes) you may get away with over-run-by-one errors for integer and 
logical arguments.  But otherwise running an instrumented version of R 
under valgrind will help pinpoint where your code steps out of bounds.

Please investigate and submit a corrected update.

Brian Ripley

-- 
Brian D. Ripley,                  ripley at stats.ox.ac.uk
Professor of Applied Statistics,  http://www.stats.ox.ac.uk/~ripley/
University of Oxford,             Tel:  +44 1865 272861 (self)
1 South Parks Road,                     +44 1865 272866 (PA)
Oxford OX1 3TG, UK                Fax:  +44 1865 272595

More information about the Rmetrics-core mailing list