Comments (10)
GgnDpSngh
commented on July 17, 2024
1
Made better fix, it should be fine now.
Cheers,
Gagan
from elina.
GgnDpSngh
commented on July 17, 2024
1
I fixed this, thanks for spotting, this is similar to the first one, I will check if there are other parts in the code where it can also occur.
Cheers,
Gagan
from elina.
GgnDpSngh
commented on July 17, 2024
Hi Sungkeun,
Thanks for your feedback. This is weird and there should not be any buffer overrun there. Do you have the exact test case when it crashes?
Cheers,
Gagan
from elina.
skcho
commented on July 17, 2024
Hi Gagan,
open Apron
let () =
let man = Elina_poly.manager_alloc_loose () in
let abs = Abstract1.top man (Environment.make [||] [||]) in
let env = Environment.make [|Var.of_string "x"|] [||] in
ignore (Abstract1.change_environment man abs env false)It has the buffer overrun behavior, though it would not make an explicit crash at this point. By adding the following lines before the line 110 of opt_pk_resize.c, you can see it actually accesses invalid heap memory, i.e., dim[1].
fprintf(stderr, "dim size %u\n", size);
fprintf(stderr, "access dim[%u]\n", l);
fflush(stderr);
results:
dim size 1
access dim[1]
Sincerely,
Sungkeun
from elina.
GgnDpSngh
commented on July 17, 2024
Hi Sungkeun,
Thanks for spotting it, I have made a "quick" fix. Have not tested it properly and not sure if it breaks other things. Let me know if it there are further issues.
Cheers,
Gagan
from elina.
skcho
commented on July 17, 2024
Hi Gagan,
Thank you! I will try it.
Sungkeun
from elina.
skcho
commented on July 17, 2024
Hi Gagan,
I think I found another similar buffer overrun in opt_pk_resize.c:318.
ELINA/elina_poly/opt_pk_resize.c
Lines 316 to 326 in d15b8ec
Test code is:
open Apron
let () =
let man = Elina_poly.manager_alloc_loose () in
let x = Var.of_string "x" in
let y = Var.of_string "y" in
let env = Environment.make [|x; y|] [||] in
let tab = Parser.lincons1_of_lstring env ["y>=0"] in
let abs = Abstract1.of_lincons_array man env tab in
ignore (Abstract1.minimize_environment man abs)As the above one, it would not raise an explicit crash. If I add the following print functions before the line 318:
fprintf(stderr, "dima size %u\n", dimchange->intdim+dimchange->realdim);
fprintf(stderr, "access dima[%u]\n", l);
fflush(stderr);
Results:
dima size 1
access dima[0]
dima size 1
access dima[1]
FWIW, the call stack given by address sanitizer is:
ERROR: AddressSanitizer: heap-buffer-overflow
#0 opt_pk_remove_dimensions opt_pk_resize.c:318
#1 ap_abstract0_remove_dimensions ap_abstract0.c:1260
#2 ap_abstract0_apply_dimchange2 ap_abstract0.c:1507
#3 ap_abstract1_change_environment ap_abstract1.c:1019
#4 ap_abstract1_minimize_environment ap_abstract1.c:1057
#5 camlidl_abstract1_ap_abstract1_minimize_environment abstract1_caml.c:1669
Thank you, Gagan!
Sungkeun
from elina.
skcho
commented on July 17, 2024
Thank you, Gagan. I will try it.
Sincerely,
Sungkeun
from elina.
GgnDpSngh
commented on July 17, 2024
Let me know, I made a scan through the code and did not see this pattern elsewher but who knows maybe you find something soon :). I am on the move today but will try to fix any potential bugs whenever i get time.
Cheers,
Gagan
from elina.
skcho
commented on July 17, 2024
Thank you for your quick response. 😄 It looks OK as of now. I will reopen the issue if I find a similar one. Hope your move well.
Sincerely,
Sungkeun
from elina.
Related Issues (20)
- Segfault when creating a polyhedra using a tcons_array HOT 1
- Broken ELINA after 9c99c4d177c691f98f2031657c18fe6fbe4c7571 HOT 1
- Adding a new variable and interval to Poly HOT 4
- Meet/Join with different dims? HOT 5
- Makefile in fppoly references non-existant sign_approx.o HOT 1
- Wrong CDD_PREFIX after ./configure --cdd-prefix HOT 4
- Memory leaks (Valgrind) in elina_poly HOT 7
- OSError: libfppoly.so: cannot open shared object file: No such file or directory HOT 4
- error: ‘AP_SCALAR_MPFR’ undeclared (first use in this function); did you mean ‘ELINA_SCALAR_MPFR’? HOT 2
- error when executing make in ELINA HOT 2
- Get relative bounds for dimensions HOT 2
- SEGFAULT when joining bottom HOT 4
- Portability issue with the `funptr` array HOT 7
- -march=native and -DTIMING not supported in Apple M1 HOT 3
- Missing MPFR_LIB_FLAG and GMP_LIB_FLAG in Makefile HOT 2
- How to tune the clam options to reproduce ELINA paper results HOT 14
- Does ELINA support the join and meet operators in case of the NNC Polyhedra? HOT 11
- No bound_texpr support for polyhedra domain
- Octagon overflow during assignment not handled correctly? HOT 1
- Unexpected bottom after meeting constraints using elina_poly HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from elina.