[BUGZILLA #15332] qr.solve call crashes R

[MichaelChirico]

Consider the attached funqr.rda file.

Steps to reproduce:

env <- new.env() load("funqr.rda", envir = env) qr.solve(env$predictors, as.complex(env$F)) # works as expected qr.solve(env$predictors, env$F) # crashes

Running R --debug=valgrind yields:

==65052== Invalid read of size 8 ==65052== at 0x15E96B9: ATL_zgemvC_a1_x1_b1_y1 (in /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libBLAS.dylib) ==65052== by 0x15E5264: ATL_zgemv (in /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libBLAS.dylib) ==65052== by 0x15EB781: cblaszgemv (in /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libBLAS.dylib) ==65052== by 0x139B950: ZGEMV (in /System/Library/Frameworks/Accelerate.framework/Versions/A/Frameworks/vecLib.framework/Versions/A/libBLAS.dylib) ==65052== by 0x9D4C74D: zlarf (in /opt/local/Library/Frameworks/R.framework/Versions/3.0/Resources/lib/libRlapack.dylib) ==65052== by 0x104112497: ??? ==65052== by 0x9D8A47F: bswpiv.35032 (in /opt/local/Library/Frameworks/R.framework/Versions/3.0/Resources/lib/libRlapack.dylib) ==65052== by 0x9D8A4B7: bswpiv.35032 (in /opt/local/Library/Frameworks/R.framework/Versions/3.0/Resources/lib/libRlapack.dylib) ==65052== by 0x100669DF7: ??? ==65052== by 0x9D8A47F: bswpiv.35032 (in /opt/local/Library/Frameworks/R.framework/Versions/3.0/Resources/lib/libRlapack.dylib) ==65052== by 0x100000012: ??? (in /opt/local/Library/Frameworks/R.framework/Resources/bin/exec/R) ==65052== by 0x102BD83A7: ??? ==65052== Address 0x103a22b50 is 8 bytes after a block of size 277,784 alloc'd ==65052== at 0x4756: malloc (vg_replace_malloc.c:274) ==65052== by 0xEFA6B: Rf_allocVector (in /opt/local/Library/Frameworks/R.framework/Versions/3.0/Resources/lib/libR.dylib) ==65052== by 0x1FFFFFFFF: ??? ==65052== by 0x1: ???

So, it looks like R allocates too small memory for some vector. I have not dug more inside, but probably it allocates the space for real object, but treat the memory as complex.

This reproduces at least in Windows and MacOS. The input data needs to be sufficiently enough to overwrite some memory locations in order to crash R.

---

METADATA

• Bug author - Anton Korobeynikov
• Creation time - 2013-06-03 06:37:57 UTC
• Bugzilla link
• Status - CLOSED FIXED
• Alias - None
• Component - Low-level
• Version - R 3.0.0
• Hardware - Other All
• Importance - P5 normal
• Assignee - R-core
• URL -
• Modification time - 2013-06-29 21:26 UTC

[MichaelChirico]

Created attachment 1452 [details] Test data

---

METADATA

• Comment author - Anton Korobeynikov
• Timestamp - 2013-06-03 06:41:47 UTC

INCLUDED PATCH

• ID - 2
• Author - Anton Korobeynikov
• Link to download patch - https://bugs.r-project.org/bugzilla/attachment.cgi?id=1452
• Timestamp - 2013-06-03 06:41 UTC
• Extra info - (857.93 KB, application/octet-stream)

[MichaelChirico]

Looks like a simple typo in the complex-handling code. Fixed in R-devel, soon in R-patched.

---

METADATA

• Comment author - Duncan Murdoch
• Timestamp - 2013-06-08 19:03:14 UTC

[MichaelChirico]

Bug 15367 has been marked as a duplicate of this bug.

---

METADATA

• Comment author - Duncan Murdoch
• Timestamp - 2013-06-29 21:26:33 UTC