SegFault/double free with simple array mask operation
Hello everybody! Please have a look at the program below: # start import numpy t_array=numpy.ones(2048, dtype=numpy.float32) sinc_array=numpy.array((len(t_array),),dtype=numpy.float32) sinc_array[(t_array > 0.)]=1.0 # end If you execute this program, it crashes with Segmentation Fault or *** glibc detected *** python: double free or corruption (out): 0x081fe470 *** It depends on the circumstances, which error occurs, e.g. you must quit your interpreter if you are in interactvie mode. Obviously numpy.array() should be numpy.zeros() or numpy.empty() .... But this program should not crash with a core dump. Used Linux Versions are: Debian Testing with numpy 1.0.3, Debian Stable with numpy 1.0.1, Ubuntu Linux 6.10 with numpy 1.0 Also numpy-1.0.4 crashes. Yours, Achim
On Wed, 14 Nov 2007 19:31:38 +0100 Achim Gaedke <Achim.Gaedke@physik.tu-darmstadt.de> wrote:
Hello everybody!
Please have a look at the program below:
# start import numpy
t_array=numpy.ones(2048, dtype=numpy.float32) sinc_array=numpy.array((len(t_array),),dtype=numpy.float32) sinc_array[(t_array > 0.)]=1.0 # end
If you execute this program, it crashes with Segmentation Fault or *** glibc detected *** python: double free or corruption (out): 0x081fe470 ***
It depends on the circumstances, which error occurs, e.g. you must quit your interpreter if you are in interactvie mode.
Obviously numpy.array() should be numpy.zeros() or numpy.empty() .... But this program should not crash with a core dump.
Used Linux Versions are: Debian Testing with numpy 1.0.3, Debian Stable with numpy 1.0.1, Ubuntu Linux 6.10 with numpy 1.0 Also numpy-1.0.4 crashes.
Yours, Achim
_______________________________________________ Numpy-discussion mailing list Numpy-discussion@scipy.org http://projects.scipy.org/mailman/listinfo/numpy-discussion
I can confirm the problem on opensuse10.2 x86_64 using python2.5
numpy.__version__ '1.0.5.dev4453'
Here is a backtrace Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 46940023738768 (LWP 4279)] 0x00002ab1128cde47 in _PyObject_GC_Track () from /usr/lib64/libpython2.5.so.1.0 (gdb) bt #0 0x00002ab1128cde47 in _PyObject_GC_Track () from /usr/lib64/libpython2.5.so.1.0 #1 0x00002ab1128ce514 in PyGC_Collect () from /usr/lib64/libpython2.5.so.1.0 #2 0x00002ab1128c3ce7 in Py_Finalize () from /usr/lib64/libpython2.5.so.1.0 #3 0x00002ab1128ccf34 in Py_Main () from /usr/lib64/libpython2.5.so.1.0 #4 0x00002ab1133e7bc4 in __libc_start_main () from /lib64/libc.so.6 #5 0x00000000004006a9 in _start () Nils
Achim Gaedke wrote:
Hello everybody!
Please have a look at the program below:
# start import numpy
t_array=numpy.ones(2048, dtype=numpy.float32) sinc_array=numpy.array((len(t_array),),dtype=numpy.float32) sinc_array[(t_array > 0.)]=1.0 # end
If you execute this program, it crashes with Segmentation Fault or *** glibc detected *** python: double free or corruption (out): 0x081fe470 ***
It depends on the circumstances, which error occurs, e.g. you must quit your interpreter if you are in interactvie mode.
Obviously numpy.array() should be numpy.zeros() or numpy.empty() .... But this program should not crash with a core dump.
Used Linux Versions are: Debian Testing with numpy 1.0.3, Debian Stable with numpy 1.0.1, Ubuntu Linux 6.10 with numpy 1.0 Also numpy-1.0.4 crashes.
Yours, Achim
Could you open a ticket on the numpy trac system ? (I can confirm the bug) cheers, David
David Cournapeau wrote:
Achim Gaedke wrote:
Hello everybody!
Please have a look at the program below:
# start import numpy
t_array=numpy.ones(2048, dtype=numpy.float32) sinc_array=numpy.array((len(t_array),),dtype=numpy.float32) sinc_array[(t_array > 0.)]=1.0 # end
.... Could you open a ticket on the numpy trac system ? (I can confirm the bug)
cheers,
David
It is Ticket #614 . The version information in trac are outdated, I could not select version 1.0.3 or 1.0.4 . Yours, Achim
Achim Gaedke wrote:
David Cournapeau wrote:
Could you open a ticket on the numpy trac system ? (I can confirm the bug)
cheers,
David
It is Ticket #614 . The version information in trac are outdated, I could not select version 1.0.3 or 1.0.4 .
Here is the solution for Segmentation Fault reported. It is basicly copied from the function iter_subscript_Bool, which alredy does the necessary range checks. Achim Index: arrayobject.c =================================================================== --- arrayobject.c (revision 4464) +++ arrayobject.c (working copy) @@ -9337,6 +9337,11 @@ return -1; } index = ind->dimensions[0]; + if (index > self->size) { + PyErr_SetString(PyExc_ValueError, + "too many boolean indices"); + return -1; + } strides = ind->strides[0]; dptr = ind->data; PyArray_ITER_RESET(self);
On Sat, Nov 17, 2007 at 12:55:57PM +0100, Achim Gaedke wrote:
Achim Gaedke wrote:
David Cournapeau wrote:
Could you open a ticket on the numpy trac system ? (I can confirm the bug)
cheers,
David
It is Ticket #614 . The version information in trac are outdated, I could not select version 1.0.3 or 1.0.4 .
Here is the solution for Segmentation Fault reported. It is basicly copied from the function iter_subscript_Bool, which alredy does the necessary range checks.
Thanks, Achim. This is now fixed in SVN. Regards Stéfan
Stefan, Ticket #607 should be closed now also. It looks like I can't do that, even though I created the ticket. I'm not sure whether it was the fix for #614 that did it, or whether it is the code it referred to, but now a proper exception is raised instead of a segfault. Eric Stefan van der Walt wrote:
On Sat, Nov 17, 2007 at 12:55:57PM +0100, Achim Gaedke wrote:
Achim Gaedke wrote:
David Cournapeau wrote:
Could you open a ticket on the numpy trac system ? (I can confirm the bug)
cheers,
David
It is Ticket #614 . The version information in trac are outdated, I could not select version 1.0.3 or 1.0.4 .
Here is the solution for Segmentation Fault reported. It is basicly copied from the function iter_subscript_Bool, which alredy does the necessary range checks.
Thanks, Achim. This is now fixed in SVN.
Regards Stéfan _______________________________________________ Numpy-discussion mailing list Numpy-discussion@scipy.org http://projects.scipy.org/mailman/listinfo/numpy-discussion
On Sun, Nov 18, 2007 at 11:18:10AM -1000, Eric Firing wrote:
Ticket #607 should be closed now also. It looks like I can't do that, even though I created the ticket.
I'm not sure whether it was the fix for #614 that did it, or whether it is the code it referred to, but now a proper exception is raised instead of a segfault.
Thanks, Eric. I closed #607. Those reports referred to the same bug (indexing with too many booleans). Regards Stéfan
participants (5)
-
Achim Gaedke
-
David Cournapeau
-
Eric Firing
-
Nils Wagner
-
Stefan van der Walt