[Cbc] several bugs
John Forrest
jjhforrest at gmail.com
Sat Jun 24 11:29:11 EDT 2017
Tobias,
Changed 1, 3,5.
Will look at work needed for 7.
John Forrest
On 23/06/17 13:24, Tobias Stengel wrote:
>
> Hi,
>
> I want to report several bugs (passing „-fsanitize=undefined
> -fsanitize=address“ to gcc helps to find such issues):
>
> 1.)
>
> The attached „model1.lp“ causes an heap buffer overflow in
> Cgl/src/CglPreProcess/CglPreProcess.cpp:5756
> CglPreProcess::modified(OsiSolverInterface*, bool, int&, int, int).
>
> nCuts is 0.
>
> 2.)
>
> The attached model2.mps crashes if Cbc is build with Visual C++ 2013,
> Visual Studio 2015 or the Intel c++ compiler on Windows in Debug mode
> for x64.
>
> The prebuild windows binaries from
> https://bintray.com/coin-or/download/Cbc/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__bintray.com_coin-2Dor_download_Cbc_&d=DwMFAg&c=Ngd-ta5yRYsqeUsEDgxhcqsYYY1Xs5ogLxWPA_2Wlc4&r=js2M0T-3OIMIVDvokcKjokJbk0F8QOCd0mT4FsVFE88&m=N7JDUKQn9r9TgDJXNiIDm8CJF_16-Fmh1btprxubXO0&s=hULo3HJWQYwnBV5d8Y3D7gnVdVDn8wQsAW9O5OkoWcE&e=>
> also segfault if „cbc.exe model2.mps -gomory off –solve -quit“ is used.
>
> Workaround: add „-feas off“
>
> 3.)
>
> There is an (undefined) integer overflow in the hashCut function (all
> 4 copy&pasted instances: CglProbing.cpp, CglPreprocess.cpp, 2x
> CbcCountRowCut.cpp):
>
> Changing
>
> union { double d; int i[2]; } xx;
>
> To
>
> union { double d; unsigned int i[2]; } xx;
>
> fixes this one – unsigned overflow is defined.
>
> 4.)
>
> Several memcpy calls with num=0 and source=NULL. I don’t think that
> there is any libc that does not get this right.
>
> Nevertheless it is not defined. See
> https://youtu.be/yG1OZ69H_-o?t=3288
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__youtu.be_yG1OZ69H-5F-2Do-3Ft-3D3288&d=DwMFAg&c=Ngd-ta5yRYsqeUsEDgxhcqsYYY1Xs5ogLxWPA_2Wlc4&r=js2M0T-3OIMIVDvokcKjokJbk0F8QOCd0mT4FsVFE88&m=N7JDUKQn9r9TgDJXNiIDm8CJF_16-Fmh1btprxubXO0&s=YIz0sWhDVsWPXjhQvqbVX7KYPR1akTNYlrDTQ-CqwAM&e=>
>
> Fix is trivial: if(num > 0) { memcpy(); } (or use a container from STL).
>
> CbcModel.cpp line 7067 and 7076
>
> CglPreProcess.cpp line 2216 and 6408
>
> CglTreeInfo.cpp line 1237 and 1241
>
> ClpParameters.hpp line 86
>
> 5.)
>
> CglGomory.numberTimesStalled_ is used before initialized for some lp.
> Trivial to fix by adding „ = 0;“ in CglGomory.hpp line 187.
>
> 6.)
>
> -DGOMORY_LONG (in trunk) only delays the interger overflow to
> CglGomory.cpp line 1193.
>
> 7.)
>
> Calling Cbc via CbcMain1 is not threadsafe, even with CBC_THREAD_SAFE
> is defined. I do not know the reason, but perhaps related to the
> global variables. It tends to crash randomly if several problems are
> solved in parallel (at least on windows).
>
> Solving multiple problems in sequence reduces the probability, but
> crashes from time to time, too. Sadly I can’t provide an example
> application that crashes with high probability.
>
> Is there some way to create a Pull Request or the like for trivial
> stuff like 3.)? That would simplify things a lot.
>
> Tobias
>
>
>
> _______________________________________________
> Cbc mailing list
> Cbc at list.coin-or.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__list.coin-2Dor.org_mailman_listinfo_cbc&d=DwICAg&c=Ngd-ta5yRYsqeUsEDgxhcqsYYY1Xs5ogLxWPA_2Wlc4&r=js2M0T-3OIMIVDvokcKjokJbk0F8QOCd0mT4FsVFE88&m=N7JDUKQn9r9TgDJXNiIDm8CJF_16-Fmh1btprxubXO0&s=E6Ke_4OoY2wEwnnsWlDdBzR1JBjaJLIkEcuw87m5uxw&e=
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.coin-or.org/pipermail/cbc/attachments/20170624/95e2517e/attachment.html>
More information about the Cbc
mailing list