MIVisionX icon indicating copy to clipboard operation
MIVisionX copied to clipboard
verified publisher icon ROCm

[Issue]: Segfault in vxCreateTensorFromHandle

Open trixirt opened this issue 10 months ago • 1 comments

Problem Description

Running rocAL basic_test produces this backtrace

_pthread_kill_implementation (threadid=, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 44 return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0; Missing rpms, try: dnf --enablerepo='debug' install rocal-debuginfo-6.3.3-1.fc43.x86_64 (gdb) bt #0 __pthread_kill_implementation (threadid=, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #1 0x00007ffff6a80343 in __pthread_kill_internal (threadid=, signo=6) at pthread_kill.c:89 #2 0x00007ffff6a26cbe in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007ffff6a0e6d6 in __GI_abort () at abort.c:73 #4 0x00007ffff6a0f6fa in __libc_message_impl (fmt=fmt@entry=0x7ffff6bc2306 "*** %s : terminated\n") at ../sysdeps/posix/libc_fatal.c:134 #5 0x00007ffff6b0d689 in __GI___fortify_fail (msg=msg@entry=0x7ffff6bc22ed "buffer overflow detected") at fortify_fail.c:24 #6 0x00007ffff6b0cf44 in __GI___chk_fail () at chk_fail.c:28 #7 0x00007ffff6b0ee81 in ___vsnprintf_chk (s=, maxlen=, flag=, slen=, format=, ap=) at vsnprintf_chk.c:28 #8 0x00007ffff4d2490f in snprintf(char, unsigned long pass_dynamic_object_size1, char const, ...) ( __s=0x17f8a <error: Cannot access memory at address 0x17f8a>, __n=98186, __fmt=0x22 <error: Cannot access memory at address 0x22>) at /usr/include/bits/stdio2.h:80 #9 0x00007ffff4d38432 in vxCreateTensorFromHandle (context=0x555555ba28f0, number_of_dims=4, dims=0x555555d5b930, data_type=3, fixed_point_position=0 '\000', stride=0x7fffffffd200, ptr=0x7fffffffd268, memory_type=57345) at /usr/src/debug/mivisionx-6.3.2-1.fc43.x86_64/amd_openvx/openvx/api/vx_api.cpp:10171 #10 0x00007ffff7b73256 in Tensor::create_from_handle(_vx_context) () from /lib64/librocal.so.2 #11 0x00007ffff7b57fc4 in MasterGraph::create_loader_output_tensor(TensorInfo const&) () from /lib64/librocal.so.2 #12 0x00007ffff7ad0ac2 in rocalJpegFileSource () from /lib64/librocal.so.2 #13 0x0000555555554798 in main (argc=, argv=) at /usr/include/rocal/rocal_api_types.h:466

The line here https://github.com/ROCm/MIVisionX/blob/develop/amd_openvx/openvx/api/vx_api.cpp#L10171

        char dimStr[256] = "";
        for (vx_size i = 0; i < number_of_dims; i++)
            snprintf(dimStr + strlen(dimStr), sizeof(dimStr), "%s%u", i ? "," : "", (vx_uint32)dims[i]);

dimStr is statically sized, it should be dynamically determined, 256 is a guess. similar for desc. The ptr fed to snprintf is incremented, but the sizeof field is not decremented.

This is general, serious problem in the vx_api.cpp file.

Operating System

Fedora Rawhide

CPU

ALL

GPU

AMD Radeon RX 7900 XTX

Other

No response

ROCm Version

ROCm 6.0.0

ROCm Component

MIVisionX

Steps to Reproduce

No response

(Optional for Linux users) Output of /opt/rocm/bin/rocminfo --support

No response

Additional Information

No response

trixirt avatar Feb 22 '25 18:02 trixirt

Hi @trixirt. Internal ticket has been created to investigate this issue. Thanks!

ppanchad-amd avatar Feb 24 '25 15:02 ppanchad-amd