search

JuliaMath / SpecialFunctions.jl

Special mathematical functions in Julia
https://specialfunctions.juliamath.org/stable/
Other
359 stars 100 forks source link

Segfault in besselj #446

Open shashi opened 1 year ago

shashi commented 1 year ago

Hi!

SymbolicUtils fuzzer has been running into this segfault https://github.com/JuliaSymbolics/SymbolicUtils.jl/actions/runs/5789352420/job/15690225727?pr=538#step:7:3085

The fuzzer was trying to run

function foo(a, b, c) SpecialFunctions.besselj(b / NaNMath.acosh(a), acscd(c)) end

The arguments were

0.5111444990544858, 78, -13

or

0.5111444990544858, -13, 78

I could not reproduce this on my machine which is a Mac.

SpecialFunctions version is SpecialFunctions v2.3.0

0x0f0f0f commented 7 months ago 
julia> versioninfo()
Julia Version 1.10.2
Commit bd47eca2c8a (2024-03-01 10:14 UTC)
Build Info:
  Official https://julialang.org/ release
Platform Info:
  OS: Linux (x86_64-linux-gnu)
  CPU: 8 × 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz
  WORD_SIZE: 64
  LIBM: libopenlibm
  LLVM: libLLVM-15.0.7 (ORCJIT, tigerlake)
Threads: 1 default, 0 interactive, 1 GC (on 8 virtual cores)

julia> using SpecialFunctions, NaNMath

julia> function foo(a, b, c) SpecialFunctions.besselj(b / NaNMath.acosh(a), acscd(c)) end
foo (generic function with 1 method)

julia> x, y, z = 0.5111444990544858, -13, 78
(0.5111444990544858, -13, 78)

julia> foo(x,y,z)

[136577] signal (11.1): Segmentation fault
in expression starting at REPL[5]:1
dgamln_ at /home/sea/.julia/artifacts/abf4b5086b4eb867021118c85b2cc11a15b764a9/lib/libopenspecfun.so (unknown line)
zseri_ at /home/sea/.julia/artifacts/abf4b5086b4eb867021118c85b2cc11a15b764a9/lib/libopenspecfun.so (unknown line)
zbinu_ at /home/sea/.julia/artifacts/abf4b5086b4eb867021118c85b2cc11a15b764a9/lib/libopenspecfun.so (unknown line)
zbesj_ at /home/sea/.julia/artifacts/abf4b5086b4eb867021118c85b2cc11a15b764a9/lib/libopenspecfun.so (unknown line)
_besselj at /home/sea/.julia/packages/SpecialFunctions/QH8rV/src/bessel.jl:248
besselj at /home/sea/.julia/packages/SpecialFunctions/QH8rV/src/bessel.jl:388
besselj at /home/sea/.julia/packages/SpecialFunctions/QH8rV/src/bessel.jl:490
foo at ./REPL[3]:1
unknown function (ip: 0x7fcc7fc8cc97)
_jl_invoke at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/src/gf.c:2894 [inlined]
ijl_apply_generic at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/src/gf.c:3076
jl_apply at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/src/julia.h:1982 [inlined]
do_call at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/src/interpreter.c:126
eval_value at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/src/interpreter.c:223
eval_stmt_value at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/src/interpreter.c:174 [inlined]
eval_body at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/src/interpreter.c:617
jl_interpret_toplevel_thunk at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/src/interpreter.c:775
jl_toplevel_eval_flex at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/src/toplevel.c:934
jl_toplevel_eval_flex at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/src/toplevel.c:877
ijl_toplevel_eval_in at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/src/toplevel.c:985
eval at ./boot.jl:385 [inlined]
eval_user_input at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/usr/share/julia/stdlib/v1.10/REPL/src/REPL.jl:150
repl_backend_loop at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/usr/share/julia/stdlib/v1.10/REPL/src/REPL.jl:246
#start_repl_backend#46 at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/usr/share/julia/stdlib/v1.10/REPL/src/REPL.jl:231
start_repl_backend at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/usr/share/julia/stdlib/v1.10/REPL/src/REPL.jl:228
_jl_invoke at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/src/gf.c:2894 [inlined]
ijl_apply_generic at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/src/gf.c:3076
#run_repl#59 at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/usr/share/julia/stdlib/v1.10/REPL/src/REPL.jl:389
run_repl at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/usr/share/julia/stdlib/v1.10/REPL/src/REPL.jl:375
jfptr_run_repl_91745.1 at /home/sea/.julia/juliaup/julia-1.10.2+0.x64.linux.gnu/lib/julia/sys.so (unknown line)
_jl_invoke at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/src/gf.c:2894 [inlined]
ijl_apply_generic at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/src/gf.c:3076
#1013 at ./client.jl:432
jfptr_YY.1013_82712.1 at /home/sea/.julia/juliaup/julia-1.10.2+0.x64.linux.gnu/lib/julia/sys.so (unknown line)
_jl_invoke at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/src/gf.c:2894 [inlined]
ijl_apply_generic at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/src/gf.c:3076
jl_apply at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/src/julia.h:1982 [inlined]
jl_f__call_latest at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/src/builtins.c:812
#invokelatest#2 at ./essentials.jl:892 [inlined]
invokelatest at ./essentials.jl:889 [inlined]
run_main_repl at ./client.jl:416
exec_options at ./client.jl:333
_start at ./client.jl:552
jfptr__start_82738.1 at /home/sea/.julia/juliaup/julia-1.10.2+0.x64.linux.gnu/lib/julia/sys.so (unknown line)
_jl_invoke at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/src/gf.c:2894 [inlined]
ijl_apply_generic at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/src/gf.c:3076
jl_apply at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/src/julia.h:1982 [inlined]
true_main at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/src/jlapi.c:582
jl_repl_entrypoint at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/src/jlapi.c:731
main at /cache/build/builder-amdci5-1/julialang/julia-release-1-dot-10/cli/loader_exe.c:58
unknown function (ip: 0x7fcc80c2814f)
__libc_start_main at /lib/x86_64-linux-gnu/libc.so.6 (unknown line)
unknown function (ip: 0x4010b8)
Allocations: 1305698 (Pool: 1304453; Big: 1245); GC: 2
Segmentation fault (core dumped)

Able to reproduce on Linux.

inkydragon commented 6 months ago

With latest commit:

test

Crash logs ``` julia> foo(0.5111444990544858, -13, 78) Please submit a bug report with steps to reproduce this fault, and any error messages that follow (in their entirety). Thanks. Exception: EXCEPTION_ACCESS_VIOLATION at 0x6a208136 -- .text at C:\Users\inkyd\.julia\artifacts\3e683ec5ca945a5aca74c49e8cccdf37c19b84a3\bin\libopenspecfun.dll (unknown line) in expression starting at REPL[18]:1 .text at C:\Users\inkyd\.julia\artifacts\3e683ec5ca945a5aca74c49e8cccdf37c19b84a3\bin\libopenspecfun.dll (unknown line) .text at C:\Users\inkyd\.julia\artifacts\3e683ec5ca945a5aca74c49e8cccdf37c19b84a3\bin\libopenspecfun.dll (unknown line) .text at C:\Users\inkyd\.julia\artifacts\3e683ec5ca945a5aca74c49e8cccdf37c19b84a3\bin\libopenspecfun.dll (unknown line) .text at C:\Users\inkyd\.julia\artifacts\3e683ec5ca945a5aca74c49e8cccdf37c19b84a3\bin\libopenspecfun.dll (unknown line) _besselj at C:\Users\inkyd\.julia\packages\SpecialFunctions\e7VzT\src\bessel.jl:248 besselj at C:\Users\inkyd\.julia\packages\SpecialFunctions\e7VzT\src\bessel.jl:388 besselj at C:\Users\inkyd\.julia\packages\SpecialFunctions\e7VzT\src\bessel.jl:490 foo at .\REPL[16]:1 unknown function (ip: 000001ced3ec9a22) jl_apply at C:/workdir/src\julia.h:1982 [inlined] do_call at C:/workdir/src\interpreter.c:126 eval_value at C:/workdir/src\interpreter.c:223 eval_stmt_value at C:/workdir/src\interpreter.c:174 [inlined] eval_body at C:/workdir/src\interpreter.c:635 jl_interpret_toplevel_thunk at C:/workdir/src\interpreter.c:775 jl_toplevel_eval_flex at C:/workdir/src\toplevel.c:934 jl_toplevel_eval_flex at C:/workdir/src\toplevel.c:877 ijl_toplevel_eval at C:/workdir/src\toplevel.c:943 [inlined] ijl_toplevel_eval_in at C:/workdir/src\toplevel.c:985 eval at .\boot.jl:385 [inlined] eval_user_input at C:\workdir\usr\share\julia\stdlib\v1.10\REPL\src\REPL.jl:150 repl_backend_loop at C:\workdir\usr\share\julia\stdlib\v1.10\REPL\src\REPL.jl:246 #start_repl_backend#46 at C:\workdir\usr\share\julia\stdlib\v1.10\REPL\src\REPL.jl:231 start_repl_backend at C:\workdir\usr\share\julia\stdlib\v1.10\REPL\src\REPL.jl:228 #run_repl#59 at C:\workdir\usr\share\julia\stdlib\v1.10\REPL\src\REPL.jl:389 run_repl at C:\workdir\usr\share\julia\stdlib\v1.10\REPL\src\REPL.jl:375 jfptr_run_repl_95792.1 at C:\Users\inkyd\.julia\juliaup\julia-1.10.2+0.x64.w64.mingw32\lib\julia\sys.dll (unknown line) #1013 at .\client.jl:432 jfptr_YY.1013_86568.1 at C:\Users\inkyd\.julia\juliaup\julia-1.10.2+0.x64.w64.mingw32\lib\julia\sys.dll (unknown line) jl_apply at C:/workdir/src\julia.h:1982 [inlined] jl_f__call_latest at C:/workdir/src\builtins.c:812 #invokelatest#2 at .\essentials.jl:892 [inlined] invokelatest at .\essentials.jl:889 [inlined] run_main_repl at .\client.jl:416 exec_options at .\client.jl:333 _start at .\client.jl:552 jfptr__start_86593.1 at C:\Users\inkyd\.julia\juliaup\julia-1.10.2+0.x64.w64.mingw32\lib\julia\sys.dll (unknown line) jl_apply at C:/workdir/src\julia.h:1982 [inlined] true_main at C:/workdir/src\jlapi.c:582 jl_repl_entrypoint at C:/workdir/src\jlapi.c:731 mainCRTStartup at C:/workdir/cli\loader_exe.c:58 BaseThreadInitThunk at C:\WINDOWS\System32\KERNEL32.DLL (unknown line) RtlUserThreadStart at C:\WINDOWS\SYSTEM32\ntdll.dll (unknown line) Allocations: 12716744 (Pool: 12708682; Big: 8062); GC: 20 ```

stack in libopenspecfun

[0x0]   libopenspecfun!dgamln_+0x316   0x592d9fc220   0x6a2135f0   
[0x1]   libopenspecfun!zseri_+0x330   0x592d9fc2c0   0x6a20e6c4   
[0x2]   libopenspecfun!zbinu_+0x204   0x592d9fc520   0x6a2115d2   
[0x3]   libopenspecfun!zbesj_+0x482   0x592d9fc640   0x20648600ed1

SpecialFunctions.besselj(NaN, 0.7) will crash.

So we can check if the input parameter is nan just like scipy does.

https://github.com/scipy/scipy/blob/b4f3037e04bd0d312cd671b7d1d5d9ffd8923472/scipy/special/special/bessel.h#L858-L860