[Cbc] several bugs

Tobias Stengel Tobias.Stengel at locom.de
Fri Jun 23 08:24:26 EDT 2017 

Hi,

I want to report several bugs (passing "-fsanitize=undefined -fsanitize=address" to gcc helps to find such issues):

1.)
The attached "model1.lp" causes an heap buffer overflow in Cgl/src/CglPreProcess/CglPreProcess.cpp:5756 CglPreProcess::modified(OsiSolverInterface*, bool, int&, int, int).
nCuts is 0.

2.)
The attached model2.mps crashes if Cbc is build with Visual C++ 2013, Visual Studio 2015 or the Intel c++ compiler on Windows in Debug mode for x64.
The prebuild windows binaries from https://bintray.com/coin-or/download/Cbc/ also segfault if "cbc.exe model2.mps -gomory off -solve -quit" is used.

Workaround: add "-feas off"

3.)
There is an (undefined) integer overflow in the hashCut function (all 4 copy&pasted instances: CglProbing.cpp, CglPreprocess.cpp, 2x CbcCountRowCut.cpp):
Changing
union { double d; int i[2]; } xx;
To
union { double d; unsigned int i[2]; } xx;
fixes this one - unsigned overflow is defined.

4.)
Several memcpy calls with num=0 and source=NULL. I don't think that there is any libc that does not get this right.
Nevertheless it is not defined. See https://youtu.be/yG1OZ69H_-o?t=3288

Fix is trivial: if(num > 0) { memcpy(); } (or use a container from STL).

CbcModel.cpp line 7067 and 7076
CglPreProcess.cpp line 2216 and 6408
CglTreeInfo.cpp line 1237 and 1241
ClpParameters.hpp line 86

5.)
CglGomory.numberTimesStalled_ is used before initialized for some lp. Trivial to fix by adding " = 0;" in CglGomory.hpp line 187.

6.)
-DGOMORY_LONG (in trunk) only delays the interger overflow to CglGomory.cpp line 1193.

7.)
Calling Cbc via CbcMain1 is not threadsafe, even with CBC_THREAD_SAFE is defined. I do not know the reason, but perhaps related to the global variables. It tends to crash randomly if several problems are solved in parallel (at least on windows).
Solving multiple problems in sequence reduces the probability, but crashes from time to time, too. Sadly I can't provide an example application that crashes with high probability.


Is there some way to create a Pull Request or the like for trivial stuff like 3.)? That would simplify things a lot.


Tobias



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.coin-or.org/pipermail/cbc/attachments/20170623/b5cc2442/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: models.zip
Type: application/x-zip-compressed
Size: 15438 bytes
Desc: models.zip
URL: <http://list.coin-or.org/pipermail/cbc/attachments/20170623/b5cc2442/attachment-0001.bin>

More information about the Cbc mailing list