SparseMatrix "reserve" segfault when 0 columns
Hi there,
This piece of code
#include <Eigen/SparseCore>
int main() {
std::vector<int> colsize(0);
Eigen::SparseMatrix<double> A(10, 0);
A.reserve(colsize);
return 0;
}Segfault because of the '0' columns (the # of rows can be wathever)
g++ bug.cpp -I ~/Softwares/eigen -fsanitize=address
./a.out=================================================================
==20453==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000ec at pc 0x0001032e254b bp 0x7ffeec921630 sp 0x7ffeec921628
READ of size 4 at 0x6020000000ec thread T0
#0 0x1032e254a in void Eigen::SparseMatrix<double, 0, int>::reserveInnerVectors<std::__1::vector<int, std::__1::allocator<int> > >(std::__1::vector<int, std::__1::allocator<int> > const&) (a.out:x86_64+0x10000554a)
#1 0x1032de0b4 in void Eigen::SparseMatrix<double, 0, int>::reserve<std::__1::vector<int, std::__1::allocator<int> > >(std::__1::vector<int, std::__1::allocator<int> > const&, std::__1::vector<int, std::__1::allocator<int> >::value_type const&) (a.out:x86_64+0x1000010b4)
#2 0x1032dde1c in main (a.out:x86_64+0x100000e1c)
#3 0x7fff67662cc8 in start (libdyld.dylib:x86_64+0x1acc8)
0x6020000000ec is located 4 bytes to the left of 4-byte region [0x6020000000f0,0x6020000000f4)
allocated by thread T0 here:
#0 0x103334abd in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x45abd)
#1 0x1032e0ce8 in Eigen::SparseMatrix<double, 0, int>::resize(long, long) (a.out:x86_64+0x100003ce8)
#2 0x1032e0adc in Eigen::SparseMatrix<double, 0, int>::SparseMatrix(long, long) (a.out:x86_64+0x100003adc)
#3 0x1032de074 in Eigen::SparseMatrix<double, 0, int>::SparseMatrix(long, long) (a.out:x86_64+0x100001074)
#4 0x1032ddda9 in main (a.out:x86_64+0x100000da9)
#5 0x7fff67662cc8 in start (libdyld.dylib:x86_64+0x1acc8)
SUMMARY: AddressSanitizer: heap-buffer-overflow (a.out:x86_64+0x10000554a) in void Eigen::SparseMatrix<double, 0, int>::reserveInnerVectors<std::__1::vector<int, std::__1::allocator<int> > >(std::__1::vector<int, std::__1::allocator<int> > const&)
Shadow bytes around the buggy address:
0x1c03ffffffc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c03ffffffd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c03ffffffe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c03fffffff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c0400000000: fa fa fd fd fa fa 00 00 fa fa 00 00 fa fa 00 fa
=>0x1c0400000010: fa fa 00 04 fa fa 00 00 fa fa 00 06 fa[fa]04 fa
0x1c0400000020: fa fa 01 fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==20453==ABORTING
[1] 20453 abort ./a.outThe culprit is on line 332 of SparseMatrix.h : https://gitlab.com/libeigen/eigen/-/blob/master/Eigen/src/SparseCore/SparseMatrix.h#L332
m_outerIndex[m_outerSize] = m_outerIndex[m_outerSize-1] + m_innerNonZeros[m_outerSize-1] + reserveSizes[m_outerSize-1];where outerSize is 0.
Or unless matrices of size 0 are not allowed ? Not that it's particularly useful, but sometimes it happens :-)