Skip to content

[Rcpp-devel] Possible regression in R-3.2.3 or Rcpp 0.12.3

21 messages · Paul Johnson, Dirk Eddelbuettel, Kevin Ushey +1 more

Original
Paul Johnson
# 
Hello

Could I ask for some fresh eyes on this problem?

I need to diagnose a segmentation fault that started appearing this
week after we updated to R-3.2.3 and also Rcpp updated to 0.12.3 at
same time.
R version 3.2.3 (2015-12-10)
Platform: x86_64-redhat-linux-gnu (64-bit)
Running under: CentOS Linux 7 (Core)

locale:
 [1] LC_CTYPE=en_US.utf8       LC_NUMERIC=C
 [3] LC_TIME=en_US.utf8        LC_COLLATE=en_US.utf8
 [5] LC_MONETARY=en_US.utf8    LC_MESSAGES=en_US.utf8
 [7] LC_PAPER=en_US.utf8       LC_NAME=C
 [9] LC_ADDRESS=C              LC_TELEPHONE=C
[11] LC_MEASUREMENT=en_US.utf8 LC_IDENTIFICATION=C

attached base packages:
[1] stats     graphics  grDevices utils     datasets  methods   base

other attached packages:
[1] openxlsx_3.0.0

loaded via a namespace (and not attached):
[1] Rcpp_0.11.3
*** caught segfault ***
address 0x35117000, cause 'memory not mapped'

Traceback:
 1: .Call("openxlsx_readWorkbook", v, r, string_refs, isDate, nRows,
  colNames, skipEmptyRows, origin, clean_names, PACKAGE = "openxlsx")
 2: read.xlsx.default("Failure_to_Import.xlsx", colNames = TRUE)
 3: read.xlsx("Failure_to_Import.xlsx", colNames = TRUE)
aborting ...

I have a fullly reproducible example:

http://pj.freefaculty.org/scraps/openxlsx_failure.zip

This failure surfaced on the Centos 7 linux systems yesterday, but I
did not see it in Ubuntu until I updated Rcpp to version 0.12.3.  We
were comparing versions, that was the only difference I could see.
But then I removed Rcpp and installed from source 0.12.2 but the error
now happens with Rcpp 0.12.2.

I have got too many balls in the air to know where to start on this one.

One thing I wonder if it is necessary to completely erase and
reinstall all packages that depend on Rcpp in order to get a clean run
at this.

I thought the issue was Centos updates and possibly a funny GCC setup
there, but now same problem is happening in Ubuntu.

We've written to the openxlsx author to see if he has ideas,  but I
note that his package did not update during this process.

I am going to see about downgrading R to previous version, see if
problem disappears.

pj
Kevin Ushey
# 
A C++ stack trace would be very helpful. Can you try running R with gdb, e.g.

    R -d gdb -f example.R

where 'example.R' is the path to your script that reproduces the
segfault? Hopefully, 'gdb' can provide more context on where the error
is occurring.

For what it's worth, the file did open successfully for me, using R
3.2.3 patched (r69960) + Rcpp 0.12.3, openxlsx_3.0.0, on OS X.

Thanks,
Kevin
On Thu, Jan 28, 2016 at 11:33 AM, Dirk Eddelbuettel <edd at debian.org> wrote:
Paul Johnson
# 
Thanks. It has been a while since I used gdb, and I can't recall doing
it with R.

It looks discouraging to me because I see "<optimized out>" in the
symbols.  I have to re-learn what symbols are and where to get them.

I deleted openxlsx and got clean re-install before trying this.

What's this one mean?

warning: Source file is more recent than executable.

Anywhere, here it is:

$ R -d gdb -f Reproducible_openxlsx_failure.R
GNU gdb (Ubuntu 7.10-1ubuntu2) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/lib/R/bin/exec/R...(no debugging symbols
found)...done.
(gdb) run
Starting program: /usr/lib/R/bin/exec/R -f Reproducible_openxlsx_failure.R
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

R version 3.2.3 (2015-12-10) -- "Wooden Christmas-Tree"
Copyright (C) 2015 The R Foundation for Statistical Computing
Platform: x86_64-pc-linux-gnu (64-bit)

R is free software and comes with ABSOLUTELY NO WARRANTY.
You are welcome to redistribute it under certain conditions.
Type 'license()' or 'licence()' for distribution details.

  Natural language support but running in an English locale

R is a collaborative project with many contributors.
Type 'contributors()' for more information and
'citation()' on how to cite R or R packages in publications.

Type 'demo()' for some demos, 'help()' for on-line help, or
'help.start()' for an HTML browser interface to help.
Type 'q()' to quit R.
R version 3.2.3 (2015-12-10)
Platform: x86_64-pc-linux-gnu (64-bit)
Running under: Ubuntu 15.10

locale:
 [1] LC_CTYPE=en_US.UTF-8       LC_NUMERIC=C
 [3] LC_TIME=en_US.UTF-8        LC_COLLATE=en_US.UTF-8
 [5] LC_MONETARY=en_US.UTF-8    LC_MESSAGES=en_US.UTF-8
 [7] LC_PAPER=en_US.UTF-8       LC_NAME=C
 [9] LC_ADDRESS=C               LC_TELEPHONE=C
[11] LC_MEASUREMENT=en_US.UTF-8 LC_IDENTIFICATION=C

attached base packages:
[1] stats     graphics  grDevices utils     datasets  methods   base

other attached packages:
[1] openxlsx_3.0.0

loaded via a namespace (and not attached):
[1] Rcpp_0.12.3
Program received signal SIGSEGV, Segmentation fault.
Rcpp::SubsetProxy<13, Rcpp::PreserveStorage, 13, true,
Rcpp::sugar::Minus_Vector_Primitive<13, true, Rcpp::Vector<13,
Rcpp::PreserveStorage> > >::get_vec (this=<optimized out>)
    at /home/pauljohn/R/x86_64-pc-linux-gnu-library/3.2/Rcpp/include/Rcpp/vector/Subsetter.h:199
warning: Source file is more recent than executable.
199                 output[i] = lhs[ indices[i] ];
(gdb) backtrace
#0  Rcpp::SubsetProxy<13, Rcpp::PreserveStorage, 13, true,
Rcpp::sugar::Minus_Vector_Primitive<13, true, Rcpp::Vector<13,
Rcpp::PreserveStorage> > >::get_vec (this=<optimized out>)
    at /home/pauljohn/R/x86_64-pc-linux-gnu-library/3.2/Rcpp/include/Rcpp/vector/Subsetter.h:199
#1  Rcpp::SubsetProxy<13, Rcpp::PreserveStorage, 13, true,
Rcpp::sugar::Minus_Vector_Primitive<13, true, Rcpp::Vector<13,
Rcpp::PreserveStorage> > >::operator Rcpp::Vector<13,
Rcpp::PreserveStorage> (this=<optimized out>)
    at /home/pauljohn/R/x86_64-pc-linux-gnu-library/3.2/Rcpp/include/Rcpp/vector/Subsetter.h:125
#2  readWorkbook (v=..., r=..., string_refs=..., is_date=...,
nRows=34999, nRows at entry=35000,
    hasColNames=hasColNames at entry=true, skipEmptyRows=true,
originAdj=25569, clean_names=...) at cppFunctions.cpp:2448
#3  0x00007ffff2e607c0 in openxlsx_readWorkbook (vSEXP=<optimized
out>, rSEXP=0x7fffee37e010,
    string_refsSEXP=0x7fffaf0a9010, is_dateSEXP=0x214d7e8,
nRowsSEXP=<optimized out>, hasColNamesSEXP=<optimized out>,
    skipEmptyRowsSEXP=0x212e6f8, originAdjSEXP=0x2145428,
clean_namesSEXP=0x22f92f0) at RcppExports.cpp:580
#4  0x00007ffff78f0550 in ?? () from /usr/lib/R/lib/libR.so
#5  0x00007ffff78f0948 in ?? () from /usr/lib/R/lib/libR.so
#6  0x00007ffff792c108 in Rf_eval () from /usr/lib/R/lib/libR.so
#7  0x00007ffff792f52e in ?? () from /usr/lib/R/lib/libR.so
#8  0x00007ffff792bf0d in Rf_eval () from /usr/lib/R/lib/libR.so
#9  0x00007ffff792de88 in ?? () from /usr/lib/R/lib/libR.so
#10 0x00007ffff792bf0d in Rf_eval () from /usr/lib/R/lib/libR.so
#11 0x00007ffff7931909 in Rf_applyClosure () from /usr/lib/R/lib/libR.so
#12 0x00007ffff79612b8 in ?? () from /usr/lib/R/lib/libR.so
#13 0x00007ffff796171f in ?? () from /usr/lib/R/lib/libR.so
#14 0x00007ffff7961986 in ?? () from /usr/lib/R/lib/libR.so
#15 0x00007ffff792bf0d in Rf_eval () from /usr/lib/R/lib/libR.so
#16 0x00007ffff792de88 in ?? () from /usr/lib/R/lib/libR.so
#17 0x00007ffff792bf0d in Rf_eval () from /usr/lib/R/lib/libR.so
#18 0x00007ffff7931909 in Rf_applyClosure () from /usr/lib/R/lib/libR.so
#19 0x00007ffff792bcef in Rf_eval () from /usr/lib/R/lib/libR.so
#20 0x00007ffff792f52e in ?? () from /usr/lib/R/lib/libR.so
#21 0x00007ffff792bf0d in Rf_eval () from /usr/lib/R/lib/libR.so
#22 0x00007ffff795422a in Rf_ReplIteration () from /usr/lib/R/lib/libR.so
#23 0x00007ffff7954591 in ?? () from /usr/lib/R/lib/libR.so
#24 0x00007ffff7954af4 in run_Rmainloop () from /usr/lib/R/lib/libR.so
#25 0x00000000004007eb in main ()
#26 0x00007ffff7257a40 in __libc_start_main (main=0x4007d0 <main>,
argc=3, argv=0x7fffffffde88, init=<optimized out>,
    fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fffffffde78) at libc-start.c:289
#27 0x0000000000400829 in _start ()

pj
On Thu, Jan 28, 2016 at 1:40 PM, Kevin Ushey <kevinushey at gmail.com> wrote:

  
    

      
      
    

  


  


      

    

    

      
      

        


  

        

      Kevin Ushey
    

    

      
      #
    

  


  

      
Thanks -- this is helpful. Based on the stack trace, it looks like the
error is coming out of here:

https://github.com/awalker89/openxlsx/blob/b92bb3acdd6ea759be928c298c6faeef2f26fa3e/src/cppFunctions.cpp#L2608

Whether this is an error in the Rcpp SubsetProxy class, or the vectors
the package authors are using, or, some strange local system issue,
remains to be seen.

Can you try installing the development of both Rcpp and openxlsx just
to see if you can reproduce? You can install the corresponding
versions from GitHub, using e.g.

    devtools::install_github("RcppCore/Rcpp")
    devtools::install_github("awalker89/openxlsx")

I'll see if I can reproduce on an Ubuntu machine later as well.

Thanks,
Kevin

        
On Thu, Jan 28, 2016 at 11:54 AM, Paul Johnson <pauljohn32 at gmail.com> wrote:

            

      
      
      
    

        

      
      
    

            

      
      
      
    

  
  


  


      

    

    

      
      

        


  

        

      Dirk Eddelbuettel
    

    

      
      #
    

  


  

      
Paul,

I can reproduce the segfault on Ubuntu 15.10, "everything current".
Definitely a valid bug report, though a 30mb xlsx may not qualify as
minimal.

I won't have time to look at this for a while though so if you find that
downgrading helps that may be your best bet.

Thanks for the report.  I am so used to simple segfaults from ABI mixings
(g++-5.* will do that for you...) that I called this wrongly at first. 

Dirk

/tmp/pj/openxlsx_failure$ Rscript
Reproducible_openxlsx_failure.R
R version 3.2.3 (2015-12-10)
Platform: x86_64-pc-linux-gnu (64-bit)
Running under: Ubuntu 15.10

locale:
 [1] LC_CTYPE=en_US.UTF-8       LC_NUMERIC=C
 LC_TIME=en_US.UTF-8        LC_COLLATE=en_US.UTF-8
 LC_MONETARY=en_US.UTF-8    LC_MESSAGES=en_US.UTF-8    LC_PAPER=en_US.UTF-8
  [8] LC_NAME=C                  LC_ADDRESS=C               LC_TELEPHONE=C
 LC_MEASUREMENT=en_US.UTF-8 LC_IDENTIFICATION=C

attached base packages:
[1] stats     graphics  grDevices utils     datasets  base

other attached packages:
[1] openxlsx_3.0.0

loaded via a namespace (and not attached):
[1] Rcpp_0.12.3.1 methods_3.2.3

 *** caught segfault ***
 address 0x7fd5b83d8038, cause 'memory not mapped'

Traceback:
 1: .Call("openxlsx_readWorkbook", v, r, string_refs, isDate, nRows,
 colNames, skipEmptyRows, origin, clean_names, PACKAGE = "openxlsx")
 2: read.xlsx.default("Failure_to_Import.xlsx", colNames = TRUE)
 3: read.xlsx("Failure_to_Import.xlsx", colNames = TRUE)
aborting ...

  
    

      
      
    

  


  


      

    

    

      
      

        


  

        

      Dirk Eddelbuettel
    

    

      
      #
    

  


  

      
Paul,

It does not appear to be a new bug. As this was easily scriptable, I tested
Rcpp 0.12.3, 0.12.2, 0.12.1, 0.12.0, 0.11.6, 0.11.5 and 0.11.4 -- all by
getting the tarball off CRAN, installing, re-installing openxlsx and then
running your script. They all died by segfault.

It may be an old bug masked by the C++ library, or a new misfeature tickled
by it.  It could also 'just' be something with the xlsx sheet.  If someone
has the appetite for a debugging session it would be interesting to see what
happens.

Dirk

  
    

      
      
    

  


  


      

    

    

      
      

        


  

        

      Qiang Kou
    

    

      
      #
    

  


  

      
No errors on OSX with R 3.2.2.

Rcpp and openxlsx are installed from CRAN with type = "source".

KK

        
On Thu, Jan 28, 2016 at 4:59 PM, Dirk Eddelbuettel <edd at debian.org> wrote:

        

            

      
      
      
    

        

      
      
    

        

  
    

      
      
    

  


  


      

    

    

      
      

        


  

        

      Dirk Eddelbuettel
    

    

      
      #
    

  


  

      
On 28 January 2016 at 17:42, Qiang Kou wrote:

        
| No errors on OSX with R 3.2.2.
| 
| Rcpp and openxlsx are installed from CRAN with type = "source".

Very helpful -- thank you!

Dirk

  
    

      
      
    

  


  


      

    

    

      
      

        


  

        

      Paul Johnson
    

    

      
      #
    

  


  

      
Thanks.

        
On Thu, Jan 28, 2016 at 2:42 PM, Dirk Eddelbuettel <edd at debian.org> wrote:

            

      
      
      
    

        
I'm glad I did not attach it to an email, then :)

The data xlsx provided by the client is about 2 times as big, I had a
GRA whittled it down for your entertainment.

If we whittle xlsx file down to a few lines, it does not seg fault, apparently.

I'm going crazy trying to downgrade R in Ubuntu see where that leads.
I was using 3.2.2 until a couple of days ago and I never saw a hint of
trouble from Rcpp or openxlsx.

            

      
      
      
    

        

  
    

      
      
    

  


  


      

    

    

      
      

        


  

        

      Dirk Eddelbuettel
    

    

      
      #
    

  


  

      
On 28 January 2016 at 21:47, Paul Johnson wrote:

        
| Thanks.
|

        
| On Thu, Jan 28, 2016 at 2:42 PM, Dirk Eddelbuettel <edd at debian.org> wrote:

        
| >
| > Paul,
| >
| > I can reproduce the segfault on Ubuntu 15.10, "everything current".
| > Definitely a valid bug report, though a 30mb xlsx may not qualify as
| > minimal.
| >
| I'm glad I did not attach it to an email, then :)
| 
| The data xlsx provided by the client is about 2 times as big, I had a
| GRA whittled it down for your entertainment.
| 
| If we whittle xlsx file down to a few lines, it does not seg fault, apparently.
| 
| I'm going crazy trying to downgrade R in Ubuntu see where that leads.
| I was using 3.2.2 until a couple of days ago and I never saw a hint of
| trouble from Rcpp or openxlsx.

Sorry that is so frustrating, I know.  Maybe using clang++ can help as it did
for KK on OS X.  (Though clang++ remains frustrating on Ubuntu as you have to
fiddle with -I... switches.)

Dirk
| 
| > I won't have time to look at this for a while though so if you find that
| > downgrading helps that may be your best bet.
| >
| > Thanks for the report.  I am so used to simple segfaults from ABI mixings
| > (g++-5.* will do that for you...) that I called this wrongly at first.
| >
| > Dirk
| >
| > /tmp/pj/openxlsx_failure$ Rscript
| > Reproducible_openxlsx_failure.R
| > R version 3.2.3 (2015-12-10)
| > Platform: x86_64-pc-linux-gnu (64-bit)
| > Running under: Ubuntu 15.10
| >
| > locale:
| >  [1] LC_CTYPE=en_US.UTF-8       LC_NUMERIC=C
| >  LC_TIME=en_US.UTF-8        LC_COLLATE=en_US.UTF-8
| >  LC_MONETARY=en_US.UTF-8    LC_MESSAGES=en_US.UTF-8    LC_PAPER=en_US.UTF-8
| >   [8] LC_NAME=C                  LC_ADDRESS=C               LC_TELEPHONE=C
| >  LC_MEASUREMENT=en_US.UTF-8 LC_IDENTIFICATION=C
| >
| > attached base packages:
| > [1] stats     graphics  grDevices utils     datasets  base
| >
| > other attached packages:
| > [1] openxlsx_3.0.0
| >
| > loaded via a namespace (and not attached):
| > [1] Rcpp_0.12.3.1 methods_3.2.3
| >
| >  *** caught segfault ***
| >  address 0x7fd5b83d8038, cause 'memory not mapped'
| >
| > Traceback:
| >  1: .Call("openxlsx_readWorkbook", v, r, string_refs, isDate, nRows,
| >  colNames, skipEmptyRows, origin, clean_names, PACKAGE = "openxlsx")
| >  2: read.xlsx.default("Failure_to_Import.xlsx", colNames = TRUE)
| >  3: read.xlsx("Failure_to_Import.xlsx", colNames = TRUE)
| > aborting ...
| >
| >
| > --
| > http://dirk.eddelbuettel.com | @eddelbuettel | edd at debian.org
| 
| 
| 
| -- 
| Paul E. Johnson
| Professor, Political Science        Director
| 1541 Lilac Lane, Room 504      Center for Research Methods
| University of Kansas                 University of Kansas
| http://pj.freefaculty.org              http://crmda.ku.edu

  
    

      
      
    

  


  


      

    

    

      
      

        


  

        

      Kevin Ushey
    

    

      
      #
    

  


  

      
When I add some debug printing to the associated subscripting line
(https://github.com/awalker89/openxlsx/blob/b92bb3acdd6ea759be928c298c6faeef2f26fa3e/src/cppFunctions.cpp#L2608),
I see:

   colNumbers.size(): 98,03,150
   charCols.size(): 95,94,546

It looks to me like the package is erroneously attempting to subset
vectors of different sizes, causing out-of-bounds reads.
Unfortunately, Rcpp is not detecting or warning about this...

Either way, I believe this is a bug in the openxlsx package, but Rcpp
should be checking / reporting this.

Kevin

        
On Fri, Jan 29, 2016 at 4:52 AM, Dirk Eddelbuettel <edd at debian.org> wrote:

            

      
      
      
    

        

      
      
    

  
  


  


      

    

    

      
      

        


  

        

      Dirk Eddelbuettel
    

    

      
      #
    

  


  

      
On 29 January 2016 at 11:27, Kevin Ushey wrote:

        
| When I add some debug printing to the associated subscripting line
| (https://github.com/awalker89/openxlsx/blob/b92bb3acdd6ea759be928c298c6faeef2f26fa3e/src/cppFunctions.cpp#L2608),
| I see:
| 
|    colNumbers.size(): 98,03,150
|    charCols.size(): 95,94,546
| 
| It looks to me like the package is erroneously attempting to subset
| vectors of different sizes, causing out-of-bounds reads.

Nice work.

| Unfortunately, Rcpp is not detecting or warning about this...
| 
| Either way, I believe this is a bug in the openxlsx package, but Rcpp
| should be checking / reporting this.

With (Rcpp)Armadillo you do have an option of turning this on/off. With Rcpp
alone not quite.

Dirk

  
    

      
      
    

  


  


      

    

    

      
      

        


  

        

      Qiang Kou
    

    

      
      #
    

  


  

      
Hi, Kevin, I was also trying to track this down yesterday.

            

      
      
      
    

        
*indices*, which I don't quite understand.

Program received signal SIGSEGV, Segmentation fault.

0x00007ffff2ed5c4e in Rcpp::SubsetProxy<13, Rcpp::PreserveStorage, 13,
true, Rcpp::sugar::Minus_Vector_Primitive<13, true, Rcpp::Vector<13,
Rcpp::PreserveStorage> > >::get_vec (this=this at entry=0x7fffffff79a0)

    at
/usr/local/lib/R/site-library/Rcpp/include/Rcpp/vector/Subsetter.h:200

199             output[i] = lhs[ indices[i] ];

(gdb) p i

$1 = 33622

(gdb) p indices[i]

Cannot access memory at address 0x34c6e000

(gdb) p indices_n

$2 = 9594546

        
On Fri, Jan 29, 2016 at 2:29 PM, Dirk Eddelbuettel <edd at debian.org> wrote:

        

            

      
      
      
    

        

      
      
    

        

  
    

      
      
    

  


  


      

    

    

      
      

        


  

        

      Qiang Kou
    

    

      
      #
    

  


  

      
Hi, Paul, can you try my fork of Rcpp? You can install it by the line below:

devtools::install_github("thirdwing/Rcpp", ref = "subsetter")

This fixed the segfault on my Ubuntu machine.

The difference can be found from [1].

In *subsetter*, if an IntegerVector passed in, we will try to reuse it.
This led to a segfault in this case, which I don't know why.

Dirk and Kevin, do you have any thoughts on it?

Best wishes,

KK

[1]
https://github.com/thirdwing/Rcpp/commit/216c5220bcb84778a656b3496d0f1803b973ef61

        
On Fri, Jan 29, 2016 at 3:00 PM, Qiang Kou <qkou at umail.iu.edu> wrote:

        

            

      
      
      
    

        

      
      
    

            

      
      
      
    

        

  
    

      
      
    

  


  


      

    

    

      
      

        


  

        

      Dirk Eddelbuettel
    

    

      
      #
    

  


  

      
On 29 January 2016 at 17:55, Qiang Kou wrote:

        
| Hi, Paul, can you try my fork of Rcpp? You can install it by the line below:
| 
| devtools::install_github("thirdwing/Rcpp", ref = "subsetter")
| 
| This fixed the segfault on my Ubuntu machine.

Yay. Nice work!
 
| The difference can be found from [1].

Nice and concise.
 
| In subsetter, if an IntegerVector passed in, we will try to reuse it. This led
| to a segfault in this case, which I don't know why.
| 
| Dirk and Kevin, do you have any thoughts on it?

Not really, but happy to give this the full reverse-dependency check
treatment so that we can merge it.

Dirk

 
| Best wishes,
| 
| KK
| 
| [1]?https://github.com/thirdwing/Rcpp/commit/
| 216c5220bcb84778a656b3496d0f1803b973ef61
| 
|

        
| On Fri, Jan 29, 2016 at 3:00 PM, Qiang Kou <qkou at umail.iu.edu> wrote:

        
| 
| 
|     Hi, Kevin, I was also trying to track this down yesterday.
| 
|     From the debugging info below, indices_n is not equal to length of indices,
|     which I don't quite understand.
| 
|     Program received signal SIGSEGV, Segmentation fault.
| 
|     0x00007ffff2ed5c4e in Rcpp::SubsetProxy<13, Rcpp::PreserveStorage, 13,
|     true, Rcpp::sugar::Minus_Vector_Primitive<13, true, Rcpp::Vector<13,
|     Rcpp::PreserveStorage> > >::get_vec (this=this at entry=0x7fffffff79a0)
| 
|     ? ? at /usr/local/lib/R/site-library/Rcpp/include/Rcpp/vector/
|     Subsetter.h:200
| 
|     199?? ? ? ? ? ? output[i] = lhs[ indices[i] ];
| 
|     (gdb) p i
| 
|     $1 = 33622
| 
|     (gdb) p indices[i]
| 
|     Cannot access memory at address 0x34c6e000
| 
|     (gdb) p indices_n
| 
|     $2 = 9594546
| 
|

        
|     On Fri, Jan 29, 2016 at 2:29 PM, Dirk Eddelbuettel <edd at debian.org> wrote:

        
| 
|

        
|         On 29 January 2016 at 11:27, Kevin Ushey wrote:

        
|         | When I add some debug printing to the associated subscripting line
|         | (https://github.com/awalker89/openxlsx/blob/
|         b92bb3acdd6ea759be928c298c6faeef2f26fa3e/src/cppFunctions.cpp#L2608),
|         | I see:
|         |
|         |? ? colNumbers.size(): 98,03,150
|         |? ? charCols.size(): 95,94,546
|         |
|         | It looks to me like the package is erroneously attempting to subset
|         | vectors of different sizes, causing out-of-bounds reads.
| 
|         Nice work.
|        
|         | Unfortunately, Rcpp is not detecting or warning about this...
|         |
|         | Either way, I believe this is a bug in the openxlsx package, but Rcpp
|         | should be checking / reporting this.
| 
|         With (Rcpp)Armadillo you do have an option of turning this on/off. With
|         Rcpp
|         alone not quite.
|        
|         Dirk
|        
|         --
|         http://dirk.eddelbuettel.com | @eddelbuettel | edd at debian.org
|         _______________________________________________
|         Rcpp-devel mailing list
|         Rcpp-devel at lists.r-forge.r-project.org
|         https://lists.r-forge.r-project.org/cgi-bin/mailman/listinfo/rcpp-devel
| 
| 
| 
| 
|     --
|     Qiang Kou
|     qkou at umail.iu.edu
|     School of Informatics and Computing, Indiana University
| 
| 
| 
| 
| 
| --
| Qiang Kou
| qkou at umail.iu.edu
| School of Informatics and Computing, Indiana University
|

  
    

      
      
    

  


  


      

    

    

      
      

        


  

        

      Kevin Ushey
    

    

      
      #
    

  


  

      
Hmm, I have one thought: we try to re-use the indices from an
IntegerVector, but the type here is actually a sugar type:

    Rcpp::SubsetProxy<13, Rcpp::PreserveStorage, 13, true,
    Rcpp::sugar::Minus_Vector_Primitive<13, true, Rcpp::Vector<13,
    Rcpp::PreserveStorage> > >::get_vec (this=<optimized out>)

Ie, we access the indices with `INTEGER(x)`, but perhaps those indices
have not actually been properly materialized when we attempt to
perform the subset?

But then, a simple test case with `x[y - 1]` with `x` and `y` both
being integer vectors seems to work just fine. So I am a bit confused.

        
On Fri, Jan 29, 2016 at 3:16 PM, Dirk Eddelbuettel <edd at debian.org> wrote:

            

      
      
      
    

  
  


  


      

    

    

      
      

        


  

        

      Qiang Kou
    

    

      
      #
    

  


  

      
Another thing confused me is the segfault only happens when the
IntegerVector is significantly long.

Best,

KK

        
On Sat, Jan 30, 2016 at 2:57 AM, Kevin Ushey <kevinushey at gmail.com> wrote:

        

            

      
      
      
    

        

  
    

      
      
    

  


  


      

    

    

      
      

        


  

        

      Kevin Ushey
    

    

      
      #
    

  


  

      
I think I know what's going on now. Effectively, we're 'evaluating'
the sugar proxy vector, getting a pointer to a (temporary,
unprotected) R data structure, and then storing that pointer. Later,
when we attempt to allocate the output vector (with `no_init`) the GC
runs and cleans up our pointer.

See:

    https://github.com/RcppCore/Rcpp/blob/master/inst/include/Rcpp/vector/Subsetter.h#L147
    https://github.com/RcppCore/Rcpp/blob/master/inst/include/Rcpp/vector/Subsetter.h#L197

The 'best' fix here is to only re-use the indices for an actual
IntegerVector, and generate the indices from sugar proxies, but I'm
not exactly sure how to best handle that. It's also possible that if
we just allocated the output vector earlier (ie, before getting a
pointer to our subset proxy), that we'd avoid the R gc cleaning up our
vector.

FWIW, we should be able to reproduce this reliably when running under
`gctorture()`...

Kevin

        
On Sat, Jan 30, 2016 at 7:07 AM, Qiang Kou <qkou at umail.iu.edu> wrote:

            

      
      
      
    

  
  


  


      

    

    

      
      

        


  

        

      Kevin Ushey
    

    

      
      #
    

  


  

      
And I now have a MRE:

#include <Rcpp.h>
using namespace Rcpp;

// [[Rcpp::export]]
IntegerVector ouch(IntegerVector x, IntegerVector y) {
  IntegerVector result;
  result = x[y - 1];
  return result;
}

/*** R
x <- 1:1E6
y <- 1:1E6
gctorture(TRUE)
x <- ouch(x, y)
gctorture(FALSE)
*/

This fails pretty reliably for me. Perhaps we can add this to our unit tests.

        
On Sat, Jan 30, 2016 at 1:44 PM, Kevin Ushey <kevinushey at gmail.com> wrote:

            

      
      
      
    

  
  


  


      

    

    

      
      

        


  

        

      Dirk Eddelbuettel
    

    

      
      #
    

  


  

      
On 30 January 2016 at 13:58, Kevin Ushey wrote:

        
| And I now have a MRE:
| 
| #include <Rcpp.h>
| using namespace Rcpp;
| 
| // [[Rcpp::export]]
| IntegerVector ouch(IntegerVector x, IntegerVector y) {
|   IntegerVector result;
|   result = x[y - 1];
|   return result;
| }
| 
| /*** R
| x <- 1:1E6
| y <- 1:1E6
| gctorture(TRUE)
| x <- ouch(x, y)
| gctorture(FALSE)
| */
| 
| This fails pretty reliably for me. Perhaps we can add this to our unit tests.

Sweet.

We generally do not run gctorture() in unit tests though.  We could -- maybe
with a new environment variable to turn it on (somewhat selectively) ?

Dirk

        
| On Sat, Jan 30, 2016 at 1:44 PM, Kevin Ushey <kevinushey at gmail.com> wrote:

        
| > I think I know what's going on now. Effectively, we're 'evaluating'
| > the sugar proxy vector, getting a pointer to a (temporary,
| > unprotected) R data structure, and then storing that pointer. Later,
| > when we attempt to allocate the output vector (with `no_init`) the GC
| > runs and cleans up our pointer.
| >
| > See:
| >
| >     https://github.com/RcppCore/Rcpp/blob/master/inst/include/Rcpp/vector/Subsetter.h#L147
| >     https://github.com/RcppCore/Rcpp/blob/master/inst/include/Rcpp/vector/Subsetter.h#L197
| >
| > The 'best' fix here is to only re-use the indices for an actual
| > IntegerVector, and generate the indices from sugar proxies, but I'm
| > not exactly sure how to best handle that. It's also possible that if
| > we just allocated the output vector earlier (ie, before getting a
| > pointer to our subset proxy), that we'd avoid the R gc cleaning up our
| > vector.
| >
| > FWIW, we should be able to reproduce this reliably when running under
| > `gctorture()`...
| >
| > Kevin
| >

        
| > On Sat, Jan 30, 2016 at 7:07 AM, Qiang Kou <qkou at umail.iu.edu> wrote:

        
| >> Another thing confused me is the segfault only happens when the
| >> IntegerVector is significantly long.
| >>
| >> Best,
| >>
| >> KK
| >>

        
| >> On Sat, Jan 30, 2016 at 2:57 AM, Kevin Ushey <kevinushey at gmail.com> wrote:

        
| >>>
| >>> Hmm, I have one thought: we try to re-use the indices from an
| >>> IntegerVector, but the type here is actually a sugar type:
| >>>
| >>>     Rcpp::SubsetProxy<13, Rcpp::PreserveStorage, 13, true,
| >>>     Rcpp::sugar::Minus_Vector_Primitive<13, true, Rcpp::Vector<13,
| >>>     Rcpp::PreserveStorage> > >::get_vec (this=<optimized out>)
| >>>
| >>> Ie, we access the indices with `INTEGER(x)`, but perhaps those indices
| >>> have not actually been properly materialized when we attempt to
| >>> perform the subset?
| >>>
| >>> But then, a simple test case with `x[y - 1]` with `x` and `y` both
| >>> being integer vectors seems to work just fine. So I am a bit confused.
| >>>

        
| >>> On Fri, Jan 29, 2016 at 3:16 PM, Dirk Eddelbuettel <edd at debian.org> wrote:

        
| >>> >

        
| >>> > On 29 January 2016 at 17:55, Qiang Kou wrote:

        
| >>> > | Hi, Paul, can you try my fork of Rcpp? You can install it by the line
| >>> > below:
| >>> > |
| >>> > | devtools::install_github("thirdwing/Rcpp", ref = "subsetter")
| >>> > |
| >>> > | This fixed the segfault on my Ubuntu machine.
| >>> >
| >>> > Yay. Nice work!
| >>> >
| >>> > | The difference can be found from [1].
| >>> >
| >>> > Nice and concise.
| >>> >
| >>> > | In subsetter, if an IntegerVector passed in, we will try to reuse it.
| >>> > This led
| >>> > | to a segfault in this case, which I don't know why.
| >>> > |
| >>> > | Dirk and Kevin, do you have any thoughts on it?
| >>> >
| >>> > Not really, but happy to give this the full reverse-dependency check
| >>> > treatment so that we can merge it.
| >>> >
| >>> > Dirk
| >>> >
| >>> >
| >>> > | Best wishes,
| >>> > |
| >>> > | KK
| >>> > |
| >>> > | [1] https://github.com/thirdwing/Rcpp/commit/
| >>> > | 216c5220bcb84778a656b3496d0f1803b973ef61
| >>> > |
| >>> > |

        
| >>> > | On Fri, Jan 29, 2016 at 3:00 PM, Qiang Kou <qkou at umail.iu.edu> wrote:

        
| >>> > |
| >>> > |
| >>> > |     Hi, Kevin, I was also trying to track this down yesterday.
| >>> > |
| >>> > |     From the debugging info below, indices_n is not equal to length of
| >>> > indices,
| >>> > |     which I don't quite understand.
| >>> > |
| >>> > |     Program received signal SIGSEGV, Segmentation fault.
| >>> > |
| >>> > |     0x00007ffff2ed5c4e in Rcpp::SubsetProxy<13, Rcpp::PreserveStorage,
| >>> > 13,
| >>> > |     true, Rcpp::sugar::Minus_Vector_Primitive<13, true,
| >>> > Rcpp::Vector<13,
| >>> > |     Rcpp::PreserveStorage> > >::get_vec
| >>> > (this=this at entry=0x7fffffff79a0)
| >>> > |
| >>> > |         at /usr/local/lib/R/site-library/Rcpp/include/Rcpp/vector/
| >>> > |     Subsetter.h:200
| >>> > |
| >>> > |     199             output[i] = lhs[ indices[i] ];
| >>> > |
| >>> > |     (gdb) p i
| >>> > |
| >>> > |     $1 = 33622
| >>> > |
| >>> > |     (gdb) p indices[i]
| >>> > |
| >>> > |     Cannot access memory at address 0x34c6e000
| >>> > |
| >>> > |     (gdb) p indices_n
| >>> > |
| >>> > |     $2 = 9594546
| >>> > |
| >>> > |
| >>> > |     On Fri, Jan 29, 2016 at 2:29 PM, Dirk Eddelbuettel

        
| >>> > <edd at debian.org> wrote:

        
| >>> > |
| >>> > |

        
| >>> > |         On 29 January 2016 at 11:27, Kevin Ushey wrote:

        
| >>> > |         | When I add some debug printing to the associated
| >>> > subscripting line
| >>> > |         | (https://github.com/awalker89/openxlsx/blob/
| >>> > |
| >>> > b92bb3acdd6ea759be928c298c6faeef2f26fa3e/src/cppFunctions.cpp#L2608),
| >>> > |         | I see:
| >>> > |         |
| >>> > |         |    colNumbers.size(): 98,03,150
| >>> > |         |    charCols.size(): 95,94,546
| >>> > |         |
| >>> > |         | It looks to me like the package is erroneously attempting to
| >>> > subset
| >>> > |         | vectors of different sizes, causing out-of-bounds reads.
| >>> > |
| >>> > |         Nice work.
| >>> > |
| >>> > |         | Unfortunately, Rcpp is not detecting or warning about
| >>> > this...
| >>> > |         |
| >>> > |         | Either way, I believe this is a bug in the openxlsx package,
| >>> > but Rcpp
| >>> > |         | should be checking / reporting this.
| >>> > |
| >>> > |         With (Rcpp)Armadillo you do have an option of turning this
| >>> > on/off. With
| >>> > |         Rcpp
| >>> > |         alone not quite.
| >>> > |
| >>> > |         Dirk
| >>> > |
| >>> > |         --
| >>> > |         http://dirk.eddelbuettel.com | @eddelbuettel | edd at debian.org
| >>> > |         _______________________________________________
| >>> > |         Rcpp-devel mailing list
| >>> > |         Rcpp-devel at lists.r-forge.r-project.org
| >>> > |
| >>> > https://lists.r-forge.r-project.org/cgi-bin/mailman/listinfo/rcpp-devel
| >>> > |
| >>> > |
| >>> > |
| >>> > |
| >>> > |     --
| >>> > |     Qiang Kou
| >>> > |     qkou at umail.iu.edu
| >>> > |     School of Informatics and Computing, Indiana University
| >>> > |
| >>> > |
| >>> > |
| >>> > |
| >>> > |
| >>> > | --
| >>> > | Qiang Kou
| >>> > | qkou at umail.iu.edu
| >>> > | School of Informatics and Computing, Indiana University
| >>> > |
| >>> >
| >>> > --
| >>> > http://dirk.eddelbuettel.com | @eddelbuettel | edd at debian.org
| >>
| >>
| >>
| >>
| >> --
| >> Qiang Kou
| >> qkou at umail.iu.edu
| >> School of Informatics and Computing, Indiana University
| >>