octave-bug-tracker
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Octave-bug-tracker] [bug #61813] memory management bug when calling MEX

From: Sébastien Villemot
Subject: [Octave-bug-tracker] [bug #61813] memory management bug when calling MEX that returns an output
Date: Thu, 13 Jan 2022 11:41:13 -0500 (EST)
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0 
Follow-up Comment #6, bug #61813 (project octave):

I attach a minimal test case for the invalid write memory that I encounter
with Dynare.

The file bug61813.c must be compiled with mkoctfile -mex, and .m file must
resid in the same directory.

Output of Octave 7.0.90 within Valgrind (compiled with
-enable-std-pmr-polymorphic-allocator):

==3924592== Invalid write of size 8                                           
                                                                              
                                                       
==3924592==    at 0x70ED199: mexFunction (bug61813.c:12)                      
                                                                              
                                                       
==3924592==    by 0x5B0F42A: call_mex(octave_mex_function&, octave_value_list
const&, int) (mex.cc:4769)                                                    
                                                        
==3924592==    by 0x555123F:
octave_mex_function::execute(octave::tree_evaluator&, int, octave_value_list
const&) (ov-mex-fcn.cc:112)                                                   
                            
==3924592==    by 0x55162B1: octave_function::call(octave::tree_evaluator&,
int, octave_value_list const&) (ov-fcn.cc:57)                                 
                                                          
==3924592==    by 0x56CDB30:
octave::tree_identifier::evaluate_n(octave::tree_evaluator&, int)
(pt-id.cc:130)                                                                
                                       
==3924592==    by 0x56CE3D0:
octave::tree_identifier::evaluate(octave::tree_evaluator&, int) (pt-id.h:98) 
==3924592==    by 0x56AF154:
octave::tree_evaluator::visit_statement(octave::tree_statement&)
(pt-eval.cc:3766)                                                             
                                        
==3924592==    by 0x56DCCA5:
octave::tree_statement::accept(octave::tree_walker&) (pt-stmt.h:124)     
==3924592==    by 0x56AF62E:
octave::tree_evaluator::visit_statement_list(octave::tree_statement_list&)
(pt-eval.cc:3851)                                                             
                              
==3924592==    by 0x54607C1:
octave::tree_statement_list::accept(octave::tree_walker&) (pt-stmt.h:201)
==3924592==    by 0x56A5097:
octave::tree_evaluator::eval(std::shared_ptr<octave::tree_statement_list>&,
bool) (pt-eval.cc:980)                                                        
                             
==3924592==    by 0x56A4709: octave::tree_evaluator::repl() (pt-eval.cc:801)  
                           
==3924592==  Address 0xf158410 is 0 bytes inside a block of size 8 free'd     
                       
==3924592==    at 0x484217B: free (vg_replace_malloc.c:872)                   
                  
==3924592==    by 0x5B0BE86: xfree(void*) (mex.cc:299)                        
                       
==3924592==    by 0x5B14A59: mx_memory_resource::do_deallocate(void*, unsigned
long, unsigned long) (mex.cc:360)                                             
                                                       
==3924592==    by 0x50CB067: std::pmr::memory_resource::deallocate(void*,
unsigned long, unsigned long) (memory_resource:111)                           
                                                            
==3924592==    by 0x50D150F:
std::pmr::polymorphic_allocator<double>::deallocate(double*, unsigned long)
(memory_resource:186)                                                         
                             
==3924592==    by 0x50D13FC:
std::allocator_traits<std::pmr::polymorphic_allocator<double>
>::deallocate(std::pmr::polymorphic_allocator<double>&, double*, unsigned
long) (alloc_traits.h:345)                      
==3924592==    by 0x50D12D7: Array<double,
std::pmr::polymorphic_allocator<double> >::ArrayRep::deallocate(double*,
unsigned long) (Array.h:207)                                                  
                  
==3924592==    by 0x50D1209: Array<double,
std::pmr::polymorphic_allocator<double> >::ArrayRep::~ArrayRep() (Array.h:187)
                                                                              
            
==3924592==    by 0x50D1017: Array<double,
std::pmr::polymorphic_allocator<double> >::~Array() (Array.h:356)             
                                                                              
            
==3924592==    by 0x5B1CEBD: octave_value
mxArray_base_full::fp_to_ov<double>(dim_vector const&) const (mex.cc:2149)    
                                                                              
             
==3924592==    by 0x5B18754: mxArray_base_full::as_octave_value() const
(mex.cc:2084)                 
==3924592==    by 0x5B196AB: mxArray_separate_full::as_octave_value() const
(mex.cc:2411)             
==3924592==  Block was alloc'd at                                             
                       
==3924592==    at 0x483F7B5: malloc (vg_replace_malloc.c:381)                 
                       
==3924592==    by 0x5B0BE37: xmalloc(unsigned long) (mex.cc:270)              
                       
==3924592==    by 0x5B1C0B7: mex::malloc_unmarked(unsigned long) (mex.cc:3414)
                       
==3924592==    by 0x5B1C178: mex::calloc_unmarked(unsigned long, unsigned
long) (mex.cc:3441)         
==3924592==    by 0x5B0CF33: mxArray::calloc(unsigned long, unsigned long)
(mex.cc:3686)              
==3924592==    by 0x5B17C13: mxArray_base_full::mxArray_base_full(bool,
mxClassID, double) (mex.cc:1653)  
==3924592==    by 0x5B18FAC:
mxArray_separate_full::mxArray_separate_full(mxClassID, double) (mex.cc:2321)
==3924592==    by 0x5B0CB11: mxArray::create_rep(bool, mxClassID, double)
(mex.cc:3287)                   
==3924592==    by 0x5B0C169: mxArray::mxArray(bool, mxClassID, double)
(mex.cc:3164)                      
==3924592==    by 0x5B0D86C: mxCreateDoubleScalar (mex.cc:3895)               
                           
==3924592==    by 0x70ED15C: mexFunction (bug61813.c:7)                       
                           
==3924592==    by 0x5B0F42A: call_mex(octave_mex_function&, octave_value_list
const&, int) (mex.cc:4769)  


Essentially, it seems that input arguments passed to mexCallMATLAB() are
deallocated when the call returns. This was not the case with Octave 6 (and
MATLAB does not do that either).

Octave does not crash for me in that simple case, but it’s easy to see how
it can lead to crashes in more complex scenarios.

P.S.: Feel free to rename this bug report, since the title may no longer be
relevant.


(file #52661, file #52662)
    _______________________________________________________

Additional Item Attachment:

File name: bug61813.c                     Size:0 KB
    <https://file.savannah.gnu.org/file/bug61813.c?file_id=52661>

File name: bug61813_fun.m                 Size:0 KB
    <https://file.savannah.gnu.org/file/bug61813_fun.m?file_id=52662>



    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?61813>

_______________________________________________
  Message posté via Savannah
  https://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]