Out of bounds write in sparse broadcast #31758
Description
Reduced from https://discourse.julialang.org/t/signal-11-segmentation-fault-11-with-differentialequations-jl/23264/:
y = sparsevec([2,7], [1., 2.], 10)
x1 = sparsevec(fill(1.0, 10))
x2 = sparsevec([2,7], [1., 2.], 10)
x3 = sparsevec(fill(1.0, 10))
f(x, y, z) = x == y == z == 0 ? 0.0 : NaN
bc = Broadcast.broadcasted(f, x1, x2, x3)
Broadcast.materialize!(y, bc)where the last line causes a segfault (BoundsError with --check-bounds=yes). The problem is here:
1 in this particular case. From Debugger:
1|debug> n
In _map_zeropres!(f, C, As) at /julia/stdlib/v1.0/SparseArrays/src/higherorderfns.jl:372
382 while activerow < rowsentinel
383 vals, ks, rows = _fusedupdate_all(rowsentinel, activerow, rows, ks, stopks, As)
384 Cx = f(vals...)
385 if !_iszero(Cx)
>386 Ck > spaceC && (spaceC = expandstorage!(C, Ck + min(length(C), _sumnnzs(As...)) - (sum(ks) - N)))
387 storedinds(C)[Ck] = activerow
388 storedvals(C)[Ck] = Cx
389 Ck += 1
390 end
1|debug> w
1] Ck: 7
2] spaceC: 6
3] storedinds(C): [1, 2, 3, 4, 5, 6]
4] (Ck + min(length(C), _sumnnzs(As...))) - (sum(ks) - N): 1
1|debug> n
In _map_zeropres!(f, C, As) at /julia/stdlib/v1.0/SparseArrays/src/higherorderfns.jl:372
383 vals, ks, rows = _fusedupdate_all(rowsentinel, activerow, rows, ks, stopks, As)
384 Cx = f(vals...)
385 if !_iszero(Cx)
386 Ck > spaceC && (spaceC = expandstorage!(C, Ck + min(length(C), _sumnnzs(As...)) - (sum(ks) - N)))
>387 storedinds(C)[Ck] = activerow
388 storedvals(C)[Ck] = Cx
389 Ck += 1
390 end
391 activerow = min(rows...)
1|debug> w
1] Ck: 7
2] spaceC: 1 # <-- What??
3] storedinds(C): [1, 2, 3, 4, 5, 6]
4] (Ck + min(length(C), _sumnnzs(As...))) - (sum(ks) - N): 1