Giters

ycjuan / libffm

A Library for Field-aware Factorization Machines

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

out of bounds access

alexeigor opened this issue · comments

commented

in ffm.cpp: ffm_node* end = &prob.X[prob.P[i + 1]];
can access array out the bounds

commented

We use clang4.0 and libc++

agorodilov@ml01:~/libffm$ git diff
diff --git a/Makefile b/Makefile
index 0e9b5b4..5dd4f25 100644
--- a/Makefile
+++ b/Makefile
@@ -1,11 +1,11 @@
-CXX = g++
-CXXFLAGS = -Wall -O3 -std=c++0x -march=native
+CXX = clang++-4.0
+CXXFLAGS = -Wall -std=c++11 -march=native -D_LIBCPP_DEBUG -g -fsanitize=address -fno-omit-frame-pointer -stdlib=libc++

 # comment the following flags if you do not want to SSE instructions
 DFLAG += -DUSESSE

 # comment the following flags if you do not want to use OpenMP
-DFLAG += -DUSEOMP
+DFLAG += -DUSEOMP -g -fsanitize=address
 CXXFLAGS += -fopenmp

 all: ffm-train ffm-predict
 
agorodilov@ml01:~/libffm$ ./ffm-train -t 2 -p libffm_toy/criteo.va.r100.gbdt0.ffm libffm_toy/criteo.tr.r100.gbdt0.ffm model
First check if the text file has already converted to binary format (0.0 seconds)
Binary file NOT found. Convert text file to binary file (24.4 seconds)
First check if the text file has already converted to binary format (0.0 seconds)
Binary file NOT found. Convert text file to binary file (4.6 seconds)
iter   tr_logloss   va_logloss      tr_time
vector[] index out of bounds
Aborted

agorodilov@ml01:~/libffm$ gdb ./ffm-train
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./ffm-train...done.
(gdb) run -t 2 -p libffm_toy/criteo.va.r100.gbdt0.ffm libffm_toy/criteo.tr.r100.gbdt0.ffm model
Starting program: /place/home/agorodilov/libffm/ffm-train -t 2 -p libffm_toy/criteo.va.r100.gbdt0.ffm libffm_toy/criteo.tr.r100.gbdt0.ffm model
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
First check if the text file has already converted to binary format (17.2 seconds)
Binary file found. Skip converting text to binary
First check if the text file has already converted to binary format (3.4 seconds)
Binary file found. Skip converting text to binary
iter   tr_logloss   va_logloss      tr_time
vector[] index out of bounds

Program received signal SIGABRT, Aborted.
0x00007ffff6940428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) list
49	in ../sysdeps/unix/sysv/linux/raise.c
(gdb) bt
#0  0x00007ffff6940428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff694202a in __GI_abort () at abort.c:89
#2  0x00000000005456db in std::__1::vector<ffm::ffm_node, std::__1::allocator<ffm::ffm_node> >::operator[] (this=0x7fffffffc460, __n=10000029) at /usr/include/c++/v1/vector:1496
#3  .omp_outlined.(void) (.global_tid.=0x7fffffffb2a0, .bound_tid.=0x7fffffffb298, l=@0x7fffffffb6f0: 256411, inner_order=..., prob=..., param=..., model=..., loss=83333.049422537151, do_update=@0x7fffffffb5c0: true) at ffm.cpp:586
#4  0x00007ffff6f844b3 in __kmp_invoke_microtask () from /usr/lib/x86_64-linux-gnu/libomp.so.5
#5  0x00007ffff6f23c73 in __kmp_fork_call () from /usr/lib/x86_64-linux-gnu/libomp.so.5
#6  0x00007ffff6f18f4f in __kmpc_fork_call () from /usr/lib/x86_64-linux-gnu/libomp.so.5
#7  0x000000000053ba4f in ffm::ffm_train_on_disk(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, ffm::ffm_parameter)::$_0::operator()(ffm::(anonymous namespace)::problem_on_disk&, bool) const (this=0x7fffffffc990, prob=..., do_update=true) at ffm.cpp:577
#8  0x0000000000535383 in ffm::ffm_train_on_disk (tr_path=..., va_path=..., param=...) at ffm.cpp:610
#9  0x000000000051ae7c in train_on_disk (opt=...) at ffm-train.cpp:142
#10 0x000000000051b8ed in main (argc=7, argv=0x7fffffffe3e8) at ffm-train.cpp:170
(gdb) f 3
#3  .omp_outlined.(void) (.global_tid.=0x7fffffffb2a0, .bound_tid.=0x7fffffffb298, l=@0x7fffffffb6f0: 256411, inner_order=..., prob=..., param=..., model=..., loss=83333.049422537151, do_update=@0x7fffffffb5c0: true) at ffm.cpp:586
586	                ffm_node *end = &prob.X[prob.P[i+1]];
(gdb) info locals
i = 256410
y = -1
begin = 0x7fff50c87588
end = 0x7fff4bd4f450
expnyt = 0.42281578802092423
r = 0.025641026
t = -0.86081868410110474
.omp.iv = 162706
.capture_expr. = 256411
.capture_expr. = 256410
ii = 162706
.omp.lb = 0
.omp.ub = 256410
.omp.stride = 256411
.omp.is_last = 1
loss = 83333.049422537151
(gdb) quit
A debugging session is active.

	Inferior 1 [process 25565] will be killed.

Quit anyway? (y or n) y