hnqtran
commented
9 months ago Details on issue with src/emqa/bldrepidx.f (SMKREPORT module)
Array out of bound issue is found for variable OUTDNAME which is first allocated with ALLOCATE( OUTDNAM(MXOUTDAT, NREPORT ), STAT=IOS )
where the 1st dimension MXOUTDAT is the number of species of which names are to be write out in the smoke report table header, and value of MXOUTDAT depends on the report configuration REPCONFIG file.
in the following code block, OUTDNAME is de-allocated and re-allocated when an condition is met:
IF( RPT_%BYSPC ) THEN ! BY SPCCODE poll+ add associated species....
NDATA = 1 ! add default firt pol name
DO V = 1, NSVARS
IF( INDNAM( 1,N ) == POLNAM( V ) ) NDATA = NDATA + 1
END DO
C NSPCPOL = NDATA
ALLRPT( N )%NUMDATA = NDATA
C DEALLOCATE( OUTDNAM, SPCPOL )
DEALLOCATE( OUTDNAM )
ALLOCATE( OUTDNAM( NDATA, NREPORT ), STAT=IOS )
CALL CHECKMEM( IOS, 'OUTDNAM', PROGNAME )
C ALLOCATE( SPCPOL( NDATA ), STAT=IOS )
C CALL CHECKMEM( IOS, 'SPCPOL', PROGNAME )
Taking this REPCONFIG with the following content as example: _/NEWFILE/ REPORT1
/CREATE REPORT/ BY STATE NAME SPECIATION MASS NUMBER E15.8 UNITS ALL tons/yr /END/
/NEWFILE/ REPORT2
/CREATE REPORT/ BY STATE NAME BY SCC10 NAME SPECIATION MASS NUMBER E13.5 UNITS ALL tons/yr /END/
/NEWFILE/ REPORT3
/CREATE REPORT/ BY STATE NAME BY SCC10 NAME BY SPCCODE PM25 SPECIATION MASS NUMBER E13.5 UNITS ALL tons/yr /END/
For REPORT1 and REPORT2, SPECIATION MASS is requested and MXOUTDAT = 77 (77 chemical species). As SMKREPORT process to REPORT3, the RPT_%BYSPC condition is met and OUTDNAM is re-allocated to ALLOCATE( OUTDNAM( NDATA, NREPORT ), STAT=IOS ) where NDATA = 19 in this example.
In subsequence subroutine WRREPHDR (src/emqa/wrrephdr.f), array out-of-bound occurs causing segmentation fault when OUTDNAM is accessed beyond its 1st allocated dimension
' DO J = STIDX, EDIDX'
IF( RPT_%RPTMODE .EQ. 3 ) THEN
L2 = LEN_TRIM( HEADERS( IHDRDATA ) )
W1 = MAX( NLEFT, W1, L2 )
ELSE
L2 = LEN_TRIM( OUTDNAM( J,RCNT ) )
W1 = MAX( NLEFT, W1, L2, LN )
END IF
WRREPHDR does it own thing to figure out STIDX = 1 and EDIDX = 77 in this example, and as J increases above 19, array out-of-bound occurs.
If SMOKE was compiled with gfortran or with ifort '-check bounds', segmentation fault occured and no smoke report file is created. If SMOKE was compiled with ifort without check bounds, no error occured and smoke report files are created but with binary junks in the header of report table. (See attached example report file rep_rwc_2018gg_18j_inv_county.txt; Note how the table header has multiple invalid binary values and only show aerosol species whereas other gaseous species are also expected).
The issue with OUTDNAM is found to be only affect the header of smoke report table; values of the table are handled by different subroutine and therefore is not affected by this issue.
Mitigation approach:
Allow large enough allocation of OUTDNAM and remove lines where OUTDNAME is de-allocated and re-allocated
ALLOCATE( OUTDNAM( max(MXOUTDAT,NSVARS+1), NREPORT ), STAT=IOS )
(See attached example report file
rep_rwc_2018gg_18j_test_inv_county.txt)
Fixed in commit https://github.com/CEMPD/SMOKE/commit/5bb27fd67a3f464cd77b9cf9854d6496be801615
Several subroutines in SMOKE are found to have array out of bound issue when SMOKE was compiled with gfortran compiler. The issue was also detected if SMOKE was compiled with intel compiler and with flag "-check bounds" activate in Makeinclude file (which is not enabled in the standard distributed package)
List of subroutines that having the issue (will be updated as more of them are found):
Details on the issue in each of the above subroutines are their mitigations are discussed in the below sections.