Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLeaf::ReadBasket invalid write in TMVA test #10010

Closed
hahnjo opened this issue Mar 2, 2022 · 10 comments · Fixed by #15363
Closed

TLeaf::ReadBasket invalid write in TMVA test #10010

hahnjo opened this issue Mar 2, 2022 · 10 comments · Fixed by #15363
Assignees
@pcanal @lmoneta @guitargeek
Labels
affects:master bug in:Cling in:I/O

Comments

@hahnjo
Copy link
Member

hahnjo commented Mar 2, 2022
edited
Loading

After #10005 is merged, the test TMVA-CrossValidation-Serialise will fail due to a stack-use-after-return:

352: WRITE of size 4 at 0x7f7ff4e1b880 thread T0
352:     #0 0x7f800120c3b9 in frombuf(char*&, unsigned int*) /home/jhahnfel/ROOT/src/core/base/inc/Bytes.h:310:7
352:     #1 0x7f800120c2bc in frombuf(char*&, int*) /home/jhahnfel/ROOT/src/core/base/inc/Bytes.h:442:48
352:     #2 0x7f7ffe26e9d0 in TBufferFile::ReadInt(int&) /home/jhahnfel/ROOT/src/io/io/inc/TBufferFile.h:401:4
352:     #3 0x7f80011965fc in TLeafI::ReadBasket(TBuffer&) /home/jhahnfel/ROOT/src/tree/tree/src/TLeafI.cxx:165:9
352:     #4 0x7f8001055b29 in TBranch::ReadLeavesImpl(TBuffer&) /home/jhahnfel/ROOT/src/tree/tree/src/TBranch.cxx:2382:13
352:     #5 0x7f800106b4a9 in TBranch::GetEntry(long long, int) /home/jhahnfel/ROOT/src/tree/tree/src/TBranch.cxx:1691:4
352:     #6 0x7f800125eea0 in TTree::GetEntry(long long, int)::$_3::operator()() const /home/jhahnfel/ROOT/src/tree/tree/src/TTree.cxx:5628:23
352:     #7 0x7f800125d3c8 in TTree::GetEntry(long long, int) /home/jhahnfel/ROOT/src/tree/tree/src/TTree.cxx:5703:7
352:     #8 0x50a984 in TestContex::runApplicationPhase(TString) /home/jhahnfel/ROOT/src/tmva/tmva/test/crossvalidation/TestCrossValidationSerialise.cxx:188:13
352:     #9 0x50b2a3 in TestCvSerialise(TMVA::Types::EMVA, TString, TString) /home/jhahnfel/ROOT/src/tmva/tmva/test/crossvalidation/TestCrossValidationSerialise.cxx:231:7
352:     #10 0x50b6e2 in TestCrossValidationSerialise() /home/jhahnfel/ROOT/src/tmva/tmva/test/crossvalidation/TestCrossValidationSerialise.cxx:240:7
352:     #11 0x50b8b3 in main /home/jhahnfel/ROOT/src/tmva/tmva/test/crossvalidation/TestCrossValidationSerialise.cxx:255:4
352:     #12 0x7f7ffad0aca2 in __libc_start_main (/lib64/libc.so.6+0x3aca2)
352:     #13 0x42361d in _start (/home/jhahnfel/ROOT/build-clang-asan-debug/tmva/tmva/test/crossvalidation/testCrossValidationSerialise+0x42361d)
352:
352: Address 0x7f7ff4e1b880 is located in stack of thread T0 at offset 128 in frame
352:     #0 0x7f7feed1f30f in cling::LookupHelper::findType(llvm::StringRef, cling::LookupHelper::DiagSetting) const (/home/jhahnfel/ROOT/build-clang-asan-debug/lib/libCling.so+0xdd430f)

Note: There may be other problems in the test after this issue is fixed. Please check locally with an instrumented build that the test passes afterwards!
@hahnjo
Copy link
Member Author

hahnjo commented Mar 2, 2022

Note that I'm completely unsure if this is really Cling's fault. If not, we have to re-assign accordingly.

@Axel-Naumann
Copy link
Member

This isn't cling; it's TLeaf reading an int into the wrong location. I'll need to debug which int that is; I suspect classID/I

@hahnjo
Copy link
Member Author

hahnjo commented Mar 2, 2022

Ok, can you update the issue title to something appropriate?

@Axel-Naumann Axel-Naumann changed the title stack-use-after-return in cling::LookupHelper::findType TLeaf::ReadBasket invalid write in TMVA test Mar 2, 2022
@pcanal
Copy link
Member

pcanal commented Mar 7, 2022

Most likely the TTree is still pointing to older (user data) addresses. (The 'failing' function set the address of only 4 out 7 branches. i.e. missing a tree->ResetBranchAddresses(); somewhere

@hahnjo hahnjo removed their assignment Jun 16, 2022
@hahnjo
Copy link
Member Author

hahnjo commented Aug 15, 2022

Still there, would be good if somebody could have a look.

@pcanal pcanal assigned guitargeek and lmoneta and unassigned guitargeek Oct 31, 2022
@hahnjo
Copy link
Member Author

hahnjo commented Jan 24, 2023

ping @Axel-Naumann @lmoneta @pcanal this is still there

@hahnjo
Copy link
Member Author

hahnjo commented May 31, 2023

ping @Axel-Naumann @lmoneta @pcanal Jenkins and me can still reproduce...

@ferdymercury
Copy link
Contributor

ferdymercury commented Apr 26, 2024
edited
Loading

@hahnjo
I think the issue is maybe that this test uses:

static UInt_t id = 0;
TTree *data = new TTree(name, name);
data->Branch("EventNumber", &id, "EventNumber/I");

but later:

Float_t fevNum;
fReader.AddSpectator("EventNumber", &fevNum);
tree->SetBranchAddress("EventNumber", &fevNum);

In contrast, TestCrossValidationIntVar seems to correctly use two variables to properly read the tree and spectate:

   Int_t uid;
   Float_t fid;
   reader.AddSpectator("EventNumber", &fid);
   tree->SetBranchAddress("EventNumber", &uid);

@pcanal
Copy link
Member

pcanal commented Apr 26, 2024

Valgrind complains of:

==24718== Invalid write of size 4
==24718==    at 0x5778F9D: frombuf(char*&, unsigned int*) (Bytes.h:310)
==24718==    by 0x5779004: frombuf(char*&, int*) (Bytes.h:442)
==24718==    by 0x5EF5256: TBufferFile::ReadInt(int&) (TBufferFile.h:401)
==24718==    by 0x575640B: TLeafI::ReadBasket(TBuffer&) (TLeafI.cxx:165)
==24718==    by 0x56F5344: TBranch::ReadLeavesImpl(TBuffer&) (TBranch.cxx:2465)
==24718==    by 0x56F2C0A: TBranch::GetEntry(long long, int) (TBranch.cxx:1753)
==24718==    by 0x5791D30: TTree::GetEntry(long long, int)::{lambda()#1}::operator()() const (TTree.cxx:5661)
==24718==    by 0x5792522: TTree::GetEntry(long long, int) (TTree.cxx:5736)
==24718==    by 0x10D951: TestContex::runApplicationPhase(TString) (TestCrossValidationSerialise.cxx:188)
==24718==    by 0x10DEDE: TestCvSerialise(TMVA::Types::EMVA, TString, TString) (TestCrossValidationSerialise.cxx:231)
==24718==    by 0x10E0A1: TestCrossValidationSerialise() (TestCrossValidationSerialise.cxx:240)
==24718==    by 0x10E137: main (TestCrossValidationSerialise.cxx:255)
==24718==  Address 0x1ffeffd2b0 is on thread 1's stack
==24718==  5088 bytes below stack pointer

@pcanal
Copy link
Member

pcanal commented Apr 26, 2024

TLDR: TTree* TMVA::DataSet::GetTree is missing a call to tree->ResetBranchAddresses() at the end.

The interesting bit is that TBufferFile::ReadInt is being used even-though all the variables in the example (and indeed all their corresponding branches) are floats.

So the issue is that the address of the Int branch:

*Br    0 :classID   : classID/I                                              *

is still set to an address that uses to be on the stack (according to valgrind).

How can it be possible, you may ask. Well ... looking at the result of fOutputFile->ls("") we notice:

....
   OBJ: TTree   TestTree        TestTree : 0 at: 0x5555555eae70

even before the call to fOutputFile.Get("dataset/TestTree");

This means that at point the TTree is already in memory (and already setup) and this prior loading is the likely place of the setting of the address to a local variable.

It turns out that the TTree is created in TTree* TMVA::DataSet::GetTree at DataSet.cxx:628 and later we have:

   UInt_t cls;
...
   tree->Branch( "classID", &cls, "classID/I" );
...
   return tree;
}

At which point the tree is returns pointing to a bunch of now invalid memory location.
Using:

  tree->ResetBranchAddresses();
  return tree;
}

solves the problem.

ferdymercury added a commit to ferdymercury/root that referenced this issue Apr 27, 2024
@ferdymercury
[tmva] branches on stack, local scope, reset before return
4d55f9e 
Fixes root-project#10010

All the credit for this fix goes to pcanal and anaumann
@ferdymercury ferdymercury mentioned this issue Apr 27, 2024
Merged
2 tasks
guitargeek pushed a commit that referenced this issue Apr 28, 2024
@ferdymercury @guitargeek
[tmva] branches on stack, local scope, reset before return
4550b57 
Fixes #10010

All the credit for this fix goes to pcanal and anaumann
guitargeek pushed a commit to guitargeek/root that referenced this issue Apr 30, 2024
@ferdymercury @guitargeek
[tmva] branches on stack, local scope, reset before return
9776a12 
Fixes root-project#10010

All the credit for this fix goes to pcanal and anaumann
guitargeek pushed a commit that referenced this issue Apr 30, 2024
@ferdymercury @guitargeek
[tmva] branches on stack, local scope, reset before return
59cb628 
Fixes #10010

All the credit for this fix goes to pcanal and anaumann
silverweed pushed a commit to silverweed/root that referenced this issue Aug 19, 2024
@ferdymercury
[tmva] branches on stack, local scope, reset before return
989c114 
Fixes root-project#10010

All the credit for this fix goes to pcanal and anaumann
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pcanal pcanal

@lmoneta lmoneta

@guitargeek guitargeek

Labels
affects:master bug in:Cling in:I/O
Projects
Fixed in 6.34.00
Status: Issues
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[tmva] branches on stack, local scope, reset before return ferdymercury/root
8 participants
@Axel-Naumann @hahnjo @pcanal @lmoneta @vgvassilev @guitargeek @ferdymercury @jalopezg-git