Memory error in function mpf_inp_str and mpf_set_str

Portage 2.1.4.4 (default/linux/amd64/2008.0/desktop, gcc-4.3.1, glibc-2.8_p20080602-r0, 2.6.24-gentoo-r2 x86_64)
=================================================================
System uname: 2.6.24-gentoo-r2 x86_64 Intel(R) Core(TM)2 Duo CPU T7500 @ 2.20GHz
Timestamp of tree: Tue, 05 Aug 2008 18:00:01 +0000
ccache version 2.4 [disabled]
app-shells/bash:     3.2_p17-r1
dev-java/java-config: 1.3.7, 2.1.4
dev-lang/python:     2.4.4-r11, 2.5.2-r2
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=core2 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-march=core2 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks loadpolicy metadata-transfer parallel-fetch sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="cs_CZ.UTF-8"
LDFLAGS="-Wl,-O1"
LINGUAS="cs"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/layman/science /usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="64bit 7zip X a52 aac aalib acl acpi alsa amd64 apache2 arts audacious bash-completion berkdb blender-game bluetooth branding bzip2 c++ cairo cdr clamav cli clisp cracklib crypt ctype cups cvs dbm dbus divx double-precision dri dvd dvdr dvdread editor eds emboss emovix encode evo examples exif extensions extrafilters extras fam fat ffmpeg fftw firefox flac fmod foomaticdb fortran ftp gcj gcl gdbm gif gimp gkrellm glade glut gmail gmp gnuplot gnustep gocr gphoto2 gpm graphviz grub gs gsl gstreamer gtk gtkhtml hal hddtemp hdri highlight history htmlhandbook icons iconv icq ieee1394 ifp imagemagick imap imlib inherit-graph inkjar int64 ipv6 ipw4965 irrlicht isdnlog jabber java jfs jikes jpeg jpeg2k kde kdepim kdm kerberos kig-scripting kipi kmid ladspa lame lapack latex lcms ldap libcaca libnotify libsamplerate libtommath libvisual lm_sensors lua lyx mad maps matroska midi mikmod mjpeg mmx mng motif mozdevelop mozilla mp2 mp3 mp4 mpeg mpeg2 mplayer mudflap multilib musepack music musicbrainz mysql ncurses network nls nptl nptlonly nsplugin objc objc++ objc-gc octave ode ogg ogg123 ogm openal opengl openmp pam pango pascal pcmcia pcre pdf perl php plasma plotutils png pnm poll posix povray ppds pppd python qhull qt3 qt3support qt4 quicktime raw readline realmedia recode reflection ruby scanner sdl seamonkey sensord session slang smp sndfile solver sox spell spl sqlite sqlite3 srt sse sse2 ssl startup-notification svg symlink sysfs syslog tcpd tetex tga themes theora threads tidy tiff timidity tk truetype unicode usb v4l v4l2 valgrind vcd vdr video vim-syntax visualization vorbis wavpack wifi wma wmf wmp x264 xanim xcf xerces-c xine xinerama xml xorg xosd xprint xscreensaver xv xvid xvmc yv12 zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse synaptics joystick wacom" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="cs" USERLAND="GNU" VIDEO_CARDS="nv nvidia v4l"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS


==25918== Memcheck, a memory error detector.
==25918== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==25918== Using LibVEX rev 1854, a library for dynamic binary translation.
==25918== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==25918== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==25918== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==25918== For more details, rerun with: -v
==25918==
==25918== Invalid write of size 8
==25918==    at 0x4E5F90E: __gmpn_set_str (in /usr/lib64/libgmp.so.3.4.2)
==25918==    by 0x4E324DB: __gmpf_set_str (in /usr/lib64/libgmp.so.3.4.2)
==25918==    by 0x1A4EA1E7C436CF5A: ???
==25918==    by 0x35D5A62422433369: ???
==25918==    by 0xDB0167527AA8558B: ???
==25918==    by 0x42EF81FA0E5DEA0E: ???
==25918==    by 0xAD22BEFDEE49D266: ???
==25918==    by 0x55AA3888336737D0: ???
==25918==    by 0x80E75D1878AC2D41: ???
==25918==    by 0xD029C248B03A8B0: ???
==25918==    by 0x5A9337E7678FDB2B: ???
==25918==    by 0xB5E8BDC48F2537A0: ???
==25918==  Address 0x7ff001000 is not stack'd, malloc'd or (recently) free'd
==25918==
==25918== Process terminating with default action of signal 11 (SIGSEGV)
==25918==  Access not within mapped region at address 0x7FF001000
==25918==    at 0x4E5F90E: __gmpn_set_str (in /usr/lib64/libgmp.so.3.4.2)
==25918==    by 0x4E324DB: __gmpf_set_str (in /usr/lib64/libgmp.so.3.4.2)
==25918==    by 0x1A4EA1E7C436CF5A: ???
==25918==    by 0x35D5A62422433369: ???
==25918==    by 0xDB0167527AA8558B: ???
==25918==    by 0x42EF81FA0E5DEA0E: ???
==25918==    by 0xAD22BEFDEE49D266: ???
==25918==    by 0x55AA3888336737D0: ???
==25918==    by 0x80E75D1878AC2D41: ???
==25918==    by 0xD029C248B03A8B0: ???
==25918==    by 0x5A9337E7678FDB2B: ???
==25918==    by 0xB5E8BDC48F2537A0: ???
==25918==
==25918== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 4 from 1)
==25918== malloc/free: in use at exit: 5,059,835 bytes in 7 blocks.
==25918== malloc/free: 183 allocs, 176 frees, 50,610,874 bytes allocated.
==25918== For counts of detected errors, rerun with: -v
==25918== searching for pointers to 7 not-freed blocks.
==25918== checked 2,171,520 bytes.
==25918==
==25918==
==25918== 568 bytes in 1 blocks are still reachable in loss record 1 of 5
==25918==    at 0x4C2267E: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==25918==    by 0x50D3CA9: (within /lib64/libc-2.8.so)
==25918==    by 0x40090C: main (bug-report.c:22)
==25918==
==25918==
==25918== 415,288 bytes in 2 blocks are definitely lost in loss record 2 of 5
==25918==    at 0x4C2267E: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==25918==    by 0x4E30AB8: __gmp_default_allocate (in /usr/lib64/libgmp.so.3.4.2)
==25918==    by 0x4E320BA: __gmpf_init2 (in /usr/lib64/libgmp.so.3.4.2)
==25918==    by 0x4008A1: main (bug-report.c:9)
==25918==
==25918==
==25918== 1,000,037 bytes in 1 blocks are possibly lost in loss record 3 of 5
==25918==    at 0x4C2267E: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==25918==    by 0x4E30AB8: __gmp_default_allocate (in /usr/lib64/libgmp.so.3.4.2)
==25918==    by 0x4E31FD0: __gmp_tmp_reentrant_alloc (in /usr/lib64/libgmp.so.3.4.2)
==25918==    by 0x4E32BB5: __gmpf_set_str (in /usr/lib64/libgmp.so.3.4.2)
==25918==    by 0x4E34533: __gmpf_inp_str (in /usr/lib64/libgmp.so.3.4.2)
==25918==    by 0x400922: main (bug-report.c:23)
==25918==
==25918==
==25918== 1,117,558 bytes in 1 blocks are definitely lost in loss record 4 of 5
==25918==    at 0x4C227B1: realloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==25918==    by 0x4E30A6B: __gmp_default_reallocate (in /usr/lib64/libgmp.so.3.4.2)
==25918==    by 0x4E344E7: __gmpf_inp_str (in /usr/lib64/libgmp.so.3.4.2)
==25918==    by 0x400922: main (bug-report.c:23)
==25918==
==25918==
==25918== 2,526,384 bytes in 2 blocks are still reachable in loss record 5 of 5
==25918==    at 0x4C2267E: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==25918==    by 0x4E30AB8: __gmp_default_allocate (in /usr/lib64/libgmp.so.3.4.2)
==25918==    by 0x4E5F175: __gmpn_set_str (in /usr/lib64/libgmp.so.3.4.2)
==25918==    by 0x4E324DB: __gmpf_set_str (in /usr/lib64/libgmp.so.3.4.2)
==25918==    by 0x4E34533: __gmpf_inp_str (in /usr/lib64/libgmp.so.3.4.2)
==25918==    by 0x400922: main (bug-report.c:23)
==25918==
==25918== LEAK SUMMARY:
==25918==    definitely lost: 1,532,846 bytes in 3 blocks.
==25918==      possibly lost: 1,000,037 bytes in 1 blocks.
==25918==    still reachable: 2,526,952 bytes in 3 blocks.
==25918==         suppressed: 0 bytes in 0 blocks.
Segmentation fault (SIGSEGV)

[bug-report.c]

---

#include <stdio.h>
#include "gmp.h"

#define BITS_PER_DIGIT 3.32192809488736234789

int main()
{
        mpf_t num,num2;
        mpf_init2(num, 1000000*BITS_PER_DIGIT);
        mpf_init2(num2, 10*BITS_PER_DIGIT);
        mpf_set_ui(num,2);
        mpf_sqrt(num,num);
       
        // Save number to file...
        FILE* OUT;
        OUT = fopen("NumData.txt", "w");
        mpf_out_str(OUT,10,0,num);
        fclose(OUT);

        // Try to load number to num2...
        FILE* IN;
        IN = fopen("NumData.txt", "r");
        mpf_inp_str(num2,IN,10);
        fclose(IN);

        mpf_clear(num); mpf_clear(num2);

        return 0;
}

---

_______________________________________________
gmp-bugs mailing list
gmp-bugs@...
http://swox.com/mailman/listinfo/gmp-bugs

This was indeed a GMP bug.

The problem is a completely incorrect allocation in mpf_set_str (in
the file mpf/set_str), where the destination variable's precision was
used for an allocation that needed a size propotional to the string
size.

It is strange that this has not been triggered long ago.

Here is a patch:

Index: /home/tege/prec/gmp42/mpf/set_str.c
===================================================================
RCS file: /home/cvsfiles/gmp42/mpf/set_str.c,v
retrieving revision 1.4
diff -p -2 -r1.4 set_str.c
*** /home/tege/prec/gmp42/mpf/set_str.c 11 Dec 2007 04:10:11 -0000 1.4
--- /home/tege/prec/gmp42/mpf/set_str.c 13 Aug 2008 14:14:05 -0000
*************** mpf_set_str (mpf_ptr x, const char *str,
*** 250,254 ****
  #endif
 
!     ma = 2 * (prec + 1);
      mp = TMP_ALLOC_LIMBS (ma);
      mn = mpn_set_str (mp, (unsigned char *) begs, str_size, base);
--- 250,255 ----
  #endif
 
!     ma = (((mp_size_t) (str_size / mp_bases[base].chars_per_bit_exactly))
!  / GMP_NUMB_BITS + 2);
      mp = TMP_ALLOC_LIMBS (ma);
      mn = mpn_set_str (mp, (unsigned char *) begs, str_size, base);

--
Torbjörn
_______________________________________________
gmp-bugs mailing list
gmp-bugs@...
http://swox.com/mailman/listinfo/gmp-bugs