Out of bounds write in SiPixelTemplateReco::PixelTempReco1D

[Dr15Jones]

The following report is given by the Address Santizer

==6388==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fcd10daeb88 at pc 0x7fcd29a10672 bp 0x7fcd10dada30 sp 0x7fcd10dada28
WRITE of size 4 at 0x7fcd10daeb88 thread T4
    #0 0x7fcd29a10671 in SiPixelTemplateReco::PixelTempReco1D(int, float, float, float, float, SiPixelTemplateReco::ClusMatrix&, SiPixelTemplate&, float&, float&, float&, float&, float&, float&, int&, int, bool, std::vector<std::pair<int, int>, std::allocator<std::pair<int, int> > >&, float&, int&, int&) /build/chrjones/asan/CMSSW_11_0_ASAN_X_2019-08-02-2300/src/RecoLocalTracker/SiPixelRecHits/src/SiPixelTemplateReco.cc:469
    #1 0x7fcd29a42c36 in PixelCPEClusterRepair::callTempReco1D(PixelCPEBase::DetParam const&, PixelCPEClusterRepair::ClusterParamTemplate&, SiPixelTemplateReco::ClusMatrix&, int, Point3DBase<float, LocalTag>&) const /build/chrjones/asan/CMSSW_11_0_ASAN_X_2019-08-02-2300/src/RecoLocalTracker/SiPixelRecHits/src/PixelCPEClusterRepair.cc:342
    #2 0x7fcd29a41d93 in PixelCPEClusterRepair::localPosition(PixelCPEBase::DetParam const&, PixelCPEBase::ClusterParam&) const /build/chrjones/asan/CMSSW_11_0_ASAN_X_2019-08-02-2300/src/RecoLocalTracker/SiPixelRecHits/src/PixelCPEClusterRepair.cc:288
    #3 0x7fcd29a2c3f1 in PixelCPEBase::getParameters(SiPixelCluster const&, GeomDet const&, LocalTrajectoryParameters const&) const /build/chrjones/asan/CMSSW_11_0_ASAN_X_2019-08-02-2300/src/RecoLocalTracker/SiPixelRecHits/interface/PixelCPEBase.h:179
    #4 0x7fcd29a2af6c in PixelClusterParameterEstimator::getParameters(SiPixelCluster const&, GeomDet const&, TrajectoryStateOnSurface const&) const /cvmfs/cms-ib.cern.ch/week1/slc7_amd64_gcc700/cms/cmssw/CMSSW_11_0_ASAN_X_2019-08-02-2300/src/RecoLocalTracker/ClusterParameterEstimator/interface/PixelClusterParameterEstimator.h:36
    #5 0x7fcd29bcf927 in TkClonerImpl::makeShared(SiPixelRecHit const&, TrajectoryStateOnSurface const&) const (/cvmfs/cms-ib.cern.ch/week1/slc7_amd64_gcc700/cms/cmssw/CMSSW_11_0_ASAN_X_2019-08-02-2300/lib/slc7_amd64_gcc700/libRecoTrackerTransientTrackingRecHit.so+0xc927)
    #6 0x7fcd3dbbe756 in SiPixelRecHit::cloneSH_(TkCloner const&, TrajectoryStateOnSurface const&) const (/cvmfs/cms-ib.cern.ch/week1/slc7_amd64_gcc700/cms/cmssw/CMSSW_11_0_ASAN_X_2019-08-02-2300/lib/slc7_amd64_gcc700/libDataFormatsTrackerRecHit2D.so+0x56756)
    #7 0x7fcd2609f60b in KFTrajectoryFitter::fitOne(TrajectorySeed const&, std::vector<std::shared_ptr<TrackingRecHit const>, std::allocator<std::shared_ptr<TrackingRecHit const> > > const&, TrajectoryStateOnSurface const&, TrajectoryFitter::fitType) const (/cvmfs/cms-ib.cern.ch/week1/slc7_amd64_gcc700/cms/cmssw/CMSSW_11_0_ASAN_X_2019-08-02-2300/lib/slc7_amd64_gcc700/libTrackingToolsTrackFitters.so+0x4c60b)
    #8 0x7fcd2618a6c6 in (anonymous namespace)::KFFittingSmoother::fitOne(TrajectorySeed const&, std::vector<std::shared_ptr<TrackingRecHit const>, std::allocator<std::shared_ptr<TrackingRecHit const> > > const&, TrajectoryStateOnSurface const&, TrajectoryFitter::fitType) const (/cvmfs/cms-ib.cern.ch/week1/slc7_amd64_gcc700/cms/cmssw/CMSSW_11_0_ASAN_X_2019-08-02-2300/lib/slc7_amd64_gcc700/pluginTrackingToolsTrackFittersPlugins.so+0xb36c6)
    #9 0x7fcd261593af in (anonymous namespace)::FlexibleKFFittingSmoother::fitOne(TrajectorySeed const&, std::vector<std::shared_ptr<TrackingRecHit const>, std::allocator<std::shared_ptr<TrackingRecHit const> > > const&, TrajectoryStateOnSurface const&, TrajectoryFitter::fitType) const (/cvmfs/cms-ib.cern.ch/week1/slc7_amd64_gcc700/cms/cmssw/CMSSW_11_0_ASAN_X_2019-08-02-2300/lib/slc7_amd64_gcc700/pluginTrackingToolsTrackFittersPlugins.so+0x823af)
    #10 0x7fccfb26634f in TrackProducerAlgorithm<reco::Track>::buildTrack(TrajectoryFitter const*, Propagator const*, std::vector<AlgoProductTraits<reco::Track>::AlgoProduct, std::allocator<AlgoProductTraits<reco::Track>::AlgoProduct> >&, std::vector<std::shared_ptr<TrackingRecHit const>, std::allocator<std::shared_ptr<TrackingRecHit const> > >&, TrajectoryStateOnSurface&, TrajectorySeed const&, float, reco::BeamSpot const&, edm::RefToBase<TrajectorySeed>, int, signed char) (/cvmfs/cms-ib.cern.ch/week1/slc7_amd64_gcc700/cms/cmssw/CMSSW_11_0_ASAN_X_2019-08-02-2300/lib/slc7_amd64_gcc700/libRecoTrackerTrackProducer.so+0x11334f)
    #11 0x7fccee2c584a in TrackProducerAlgorithm<reco::Track>::runWithCandidate(TrackingGeometry const*, MagneticField const*, std::vector<TrackCandidate, std::allocator<TrackCandidate> > const&, TrajectoryFitter const*, Propagator const*, TransientTrackingRecHitBuilder const*, reco::BeamSpot const&, std::vector<AlgoProductTraits<reco::Track>::AlgoProduct, std::allocator<AlgoProductTraits<reco::Track>::AlgoProduct> >&) (/cvmfs/cms-ib.cern.ch/week1/slc7_amd64_gcc700/cms/cmssw/CMSSW_11_0_ASAN_X_2019-08-02-2300/lib/slc7_amd64_gcc700/pluginRecoEgammaEgammaPhotonProducers.so+0x1e184a)
    #12 0x7fcce85aa4ef in TrackProducer::produce(edm::Event&, edm::EventSetup const&) (/cvmfs/cms-ib.cern.ch/week1/slc7_amd64_gcc700/cms/cmssw/CMSSW_11_0_ASAN_X_2019-08-02-2300/lib/slc7_amd64_gcc700/pluginRecoTrackerTrackProducerPlugins.so+0x9d4ef)
...

Address 0x7fcd10daeb88 is located in stack of thread T4 at offset 4056 in frame
    #0 0x7fcd29a0c953 in SiPixelTemplateReco::PixelTempReco1D(int, float, float, float, float, SiPixelTemplateReco::ClusMatrix&, SiPixelTemplate&, float&, float&, float&, float&, float&, float&, int&, int, bool, std::vector<std::pair<int, int>, std::allocator<std::pair<int, int> > >&, float&, int&, int&) /build/chrjones/asan/CMSSW_11_0_ASAN_X_2019-08-02-2300/src/RecoLocalTracker/SiPixelRecHits/src/SiPixelTemplateReco.cc:155

  This frame has 68 object(s):
...
    [3936, 4020) 'nyzero'
    [4064, 4164) 'ysum' <== Memory access at offset 4056 underflows this variable
    [4224, 4324) 'ysort'

Running the code in the debugger and stopping on SiPixelTemplateReco.cc:469

Thread 1 "cmsRun" hit Breakpoint 2, SiPixelTemplateReco::PixelTempReco1D (id=61, cotalpha=-0.16553697, cotbeta=8.64835644, locBz=0.000571159995, locBx=0.000574730162, cluster=..., templ=..., yrec=@0x60c0063713e4: -99999.8984, 
    sigmay=@0x60c0063713ec: -99999.8984, proby=@0x60c0063713c4: 1, xrec=@0x60c0063713e0: -99999.8984, sigmax=@0x60c0063713e8: -99999.8984, probx=@0x60c0063713c0: 1, qbin=@0x60c0063713cc: 0, speed=0, deadpix=false, 
    zeropix=std::vector of length 0, capacity 0, probQ=@0x60c0063713c8: 1, nypix=@0x7ffff5738da0: 21, nxpix=@0x7ffff5738de0: 0)
    at /build/chrjones/asan/CMSSW_11_0_ASAN_X_2019-08-02-2300/src/RecoLocalTracker/SiPixelRecHits/src/SiPixelTemplateReco.cc:469
469       ysum[i + shifty] = ysum[i];
(gdb) print i
$1 = 0
(gdb) print shifty
$2 = -2

So the code is write a value 2 units before the start of the array ysum.

Where shifty is calculated a few lines early

458   midpix = (fypix + lypix) / 2;
459   shifty = templ.cytemp() - midpix;

with

(gdb) print fypix
$3 = 0
(gdb) print midpix   
$4 = 10
(gdb) print templ.cytemp()
$6 = 8

[cmsbuild]

A new Issue was created by @Dr15Jones Chris Jones.

@davidlange6, @Dr15Jones, @smuzaffar, @fabiocos, @kpedro88 can you please review it and eventually sign/assign? Thanks.

cms-bot commands are listed here

[Dr15Jones]

This happened in step3 of workflow 12434.0

[Dr15Jones]

assign reconstruction

[cmsbuild]

New categories assigned: reconstruction

@slava77,@perrotta you have been requested to review this Pull request/Issue and eventually sign? Thanks

[mmusich]

Issue has been addressed here: https://github.com/cms-sw/cmssw/pull/27705

[slava77]

+1

[cmsbuild]

This issue is fully signed and ready to be closed.