<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Tobias,<br>
<br>
Changed 1, 3,5.<br>
<br>
Will look at work needed for 7.<br>
<br>
John Forrest<br>
<br>
On 23/06/17 13:24, Tobias Stengel wrote:<br>
</div>
<blockquote type="cite"
cite="mid:EDC45EE5442B124EBB022ECACBBA5911EC7AD1@VM-Exchange2010.intranet.lan">
<meta http-equiv="Context-Type" content="text/html;
charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<div class="WordSection1">
<p class="MsoNormal">Hi,</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I want to report several bugs (passing
„-fsanitize=undefined -fsanitize=address“ to gcc helps to find
such issues):</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">1.)</p>
<p class="MsoNormal">The attached „model1.lp“ causes an heap
buffer overflow in
Cgl/src/CglPreProcess/CglPreProcess.cpp:5756
CglPreProcess::modified(OsiSolverInterface*, bool, int&,
int, int).</p>
<p class="MsoNormal">nCuts is 0.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">2.)</p>
<p class="MsoNormal">The attached model2.mps crashes if Cbc is
build with Visual C++ 2013, Visual Studio 2015 or the Intel
c++ compiler on Windows in Debug mode for x64.</p>
<p class="MsoNormal">The prebuild windows binaries from <a
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__bintray.com_coin-2Dor_download_Cbc_&d=DwMFAg&c=Ngd-ta5yRYsqeUsEDgxhcqsYYY1Xs5ogLxWPA_2Wlc4&r=js2M0T-3OIMIVDvokcKjokJbk0F8QOCd0mT4FsVFE88&m=N7JDUKQn9r9TgDJXNiIDm8CJF_16-Fmh1btprxubXO0&s=hULo3HJWQYwnBV5d8Y3D7gnVdVDn8wQsAW9O5OkoWcE&e="
moz-do-not-send="true">
https://bintray.com/coin-or/download/Cbc/</a> also segfault
if „cbc.exe model2.mps -gomory off –solve -quit“ is used.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Workaround: add „-feas off“</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">3.)</p>
<p class="MsoNormal">There is an (undefined) integer overflow in
the hashCut function (all 4 copy&pasted instances:
CglProbing.cpp, CglPreprocess.cpp, 2x CbcCountRowCut.cpp):
</p>
<p class="MsoNormal">Changing </p>
<p class="MsoNormal">union { double d; int i[2]; } xx;</p>
<p class="MsoNormal">To</p>
<p class="MsoNormal">union { double d; unsigned int i[2]; } xx;</p>
<p class="MsoNormal">fixes this one – unsigned overflow is
defined.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">4.)</p>
<p class="MsoNormal">Several memcpy calls with num=0 and
source=NULL. I don’t think that there is any libc that does
not get this right.
</p>
<p class="MsoNormal">Nevertheless it is not defined. See <a
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__youtu.be_yG1OZ69H-5F-2Do-3Ft-3D3288&d=DwMFAg&c=Ngd-ta5yRYsqeUsEDgxhcqsYYY1Xs5ogLxWPA_2Wlc4&r=js2M0T-3OIMIVDvokcKjokJbk0F8QOCd0mT4FsVFE88&m=N7JDUKQn9r9TgDJXNiIDm8CJF_16-Fmh1btprxubXO0&s=YIz0sWhDVsWPXjhQvqbVX7KYPR1akTNYlrDTQ-CqwAM&e="
moz-do-not-send="true">
https://youtu.be/yG1OZ69H_-o?t=3288</a></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Fix is trivial: if(num > 0) { memcpy();
} (or use a container from STL).</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">CbcModel.cpp line 7067 and 7076</p>
<p class="MsoNormal">CglPreProcess.cpp line 2216 and 6408</p>
<p class="MsoNormal">CglTreeInfo.cpp line 1237 and 1241</p>
<p class="MsoNormal">ClpParameters.hpp line 86</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">5.)</p>
<p class="MsoNormal">CglGomory.numberTimesStalled_ is used
before initialized for some lp. Trivial to fix by adding „ =
0;“ in CglGomory.hpp line 187.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">6.) </p>
<p class="MsoNormal">-DGOMORY_LONG (in trunk) only delays the
interger overflow to CglGomory.cpp line 1193.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">7.)</p>
<p class="MsoNormal">Calling Cbc via CbcMain1 is not threadsafe,
even with CBC_THREAD_SAFE is defined. I do not know the
reason, but perhaps related to the global variables. It tends
to crash randomly if several problems are solved in parallel
(at least on windows).</p>
<p class="MsoNormal">Solving multiple problems in sequence
reduces the probability, but crashes from time to time, too.
Sadly I can’t provide an example application that crashes with
high probability.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Is there some way to create a Pull Request
or the like for trivial stuff like 3.)? That would simplify
things a lot.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Tobias</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Cbc mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Cbc@list.coin-or.org">Cbc@list.coin-or.org</a>
<a class="moz-txt-link-freetext" href="https://urldefense.proofpoint.com/v2/url?u=https-3A__list.coin-2Dor.org_mailman_listinfo_cbc&d=DwICAg&c=Ngd-ta5yRYsqeUsEDgxhcqsYYY1Xs5ogLxWPA_2Wlc4&r=js2M0T-3OIMIVDvokcKjokJbk0F8QOCd0mT4FsVFE88&m=N7JDUKQn9r9TgDJXNiIDm8CJF_16-Fmh1btprxubXO0&s=E6Ke_4OoY2wEwnnsWlDdBzR1JBjaJLIkEcuw87m5uxw&e=">https://urldefense.proofpoint.com/v2/url?u=https-3A__list.coin-2Dor.org_mailman_listinfo_cbc&d=DwICAg&c=Ngd-ta5yRYsqeUsEDgxhcqsYYY1Xs5ogLxWPA_2Wlc4&r=js2M0T-3OIMIVDvokcKjokJbk0F8QOCd0mT4FsVFE88&m=N7JDUKQn9r9TgDJXNiIDm8CJF_16-Fmh1btprxubXO0&s=E6Ke_4OoY2wEwnnsWlDdBzR1JBjaJLIkEcuw87m5uxw&e=</a>
</pre>
</blockquote>
<p><br>
</p>
</body>
</html>