Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix memory access out of bounds in numpy + chrome 89 #1474

Merged
merged 23 commits into from
Apr 17, 2021
+348 −4
Merged

Fix memory access out of bounds in numpy + chrome 89 #1474

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
8fb7a70
Another numpy patch
Apr 15, 2021
f5ba767
Fix compile error
Apr 15, 2021
3b50bd9
Another try at patching PyArray_Broadcast
Apr 15, 2021
9c50394
Try again with correct type for it_ptr
Apr 15, 2021
2426e95
Add missing semicolon
Apr 15, 2021
3267a8e
Attempt 3
Apr 15, 2021
8d15840
Forgot some semicolons
Apr 15, 2021
e422021
Fix memory proxy macros / functions
Apr 15, 2021
0e30a22
Yet aanother attempt
Apr 16, 2021
cb8c23e
Fix ReferenceError
Apr 16, 2021
d7caf6c
Fix reference errors
Apr 16, 2021
215112f
Okay I think this works now?
Apr 16, 2021
9797c1d
Define PyArray_Broadcast_part1 when not compiling with __EMSCRIPTEN__
Apr 16, 2021
e5fbf97
Fix compile errors
Apr 16, 2021
e0ba4be
Fix native build error
Apr 16, 2021
f29f041
Cleanup
Apr 16, 2021
0cae03c
Finish cleanup
Apr 16, 2021
3ceb249
Update comment
Apr 16, 2021
0b9b738
Remove old patch
Apr 16, 2021
24e8698
Fix commented original function
Apr 16, 2021
1f9727c
Tiny cleanup of patch
Apr 16, 2021
630cd04
Fix patch
Apr 16, 2021
c26d66f
Fix ReferenceError
Apr 16, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Yet aanother attempt
  • Loading branch information
Hood committed Apr 16, 2021
commit 0e30a222d915b63cd265d9d5cee805101247e4f9
1 change: 1 addition & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ all: check \
build/pyodide.asm.js: \
src/core/docstring.o \
src/core/error_handling.o \
src/core/PyArray_Broadcast.o \
src/core/hiwire.o \
src/core/js2python.o \
src/core/jsproxy.o \
Expand Down
130 changes: 35 additions & 95 deletions packages/numpy/patches/0001-temp.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,125 +1,65 @@
From e032fb0cc5e98601f96ae8800c8b6785cd1e9f89 Mon Sep 17 00:00:00 2001
From 406f26be6c693603f266d58220ac28b388f2a93a Mon Sep 17 00:00:00 2001
From: Hood <hood@mit.edu>
Date: Fri, 2 Apr 2021 14:24:24 -0700
Date: Thu, 15 Apr 2021 21:14:55 -0700
Subject: [PATCH] temp

---
numpy/core/src/multiarray/conversion_utils.c | 5 +-
numpy/core/src/multiarray/iterators.c | 56 ++++++++++++++++----
2 files changed, 48 insertions(+), 13 deletions(-)
numpy/core/src/multiarray/iterators.c | 35 ++++-----------------------
1 file changed, 5 insertions(+), 30 deletions(-)

diff --git a/numpy/core/src/multiarray/conversion_utils.c b/numpy/core/src/multiarray/conversion_utils.c
index 52cb58726..5467f4d78 100644
--- a/numpy/core/src/multiarray/conversion_utils.c
+++ b/numpy/core/src/multiarray/conversion_utils.c
@@ -955,9 +955,9 @@ PyArray_IntpFromIndexSequence(PyObject *seq, npy_intp *vals, npy_intp maxvals)
return -1;
}

- vals[i] = PyArray_PyIntAsIntp(op);
+ npy_intp x = PyArray_PyIntAsIntp(op);
Py_DECREF(op);
- if(vals[i] == -1) {
+ if(x == -1) {
err = PyErr_Occurred();
if (err &&
PyErr_GivenExceptionMatches(err, PyExc_OverflowError)) {
@@ -968,6 +968,7 @@ PyArray_IntpFromIndexSequence(PyObject *seq, npy_intp *vals, npy_intp maxvals)
return -1;
}
}
+ vals[i] = x;
}
}
return nd;
diff --git a/numpy/core/src/multiarray/iterators.c b/numpy/core/src/multiarray/iterators.c
index 9da811f69..1e25fc7f6 100644
index 9da811f69..f723c7646 100644
--- a/numpy/core/src/multiarray/iterators.c
+++ b/numpy/core/src/multiarray/iterators.c
@@ -1153,6 +1153,37 @@ NPY_NO_EXPORT PyTypeObject PyArrayIter_Type = {
@@ -1153,6 +1153,9 @@ NPY_NO_EXPORT PyTypeObject PyArrayIter_Type = {

/** END of Array Iterator **/

+__attribute__((noinline))
+NPY_NO_EXPORT int
+PyArray_Broadcast_GetNd(PyArrayMultiIterObject *mit){
+ int i, nd;
+ /* Discover the broadcast number of dimensions */
+ for (i = 0, nd = 0; i < mit->numiter; i++) {
+ nd = PyArray_MAX(nd, PyArray_NDIM(mit->iters[i]->ao));
+ }
+ return nd;
+}
+
+__attribute__((noinline))
+NPY_NO_EXPORT
+void
+write_to_ptr(void *ptr, void* val){
+ *((void**)(ptr)) = val;
+}
+
+__attribute__((noinline))
+NPY_NO_EXPORT
+void *
+read_from_ptr(void *ptr){
+ return *(void**)(ptr);
+}
+
+#define TO_VOID(x) ((void*)(x))
+#define TO_INTP(x) ((npy_intp)(x))
+#define WRITE(x, val) write_to_ptr(TO_VOID(x), TO_VOID(val))
+#define READ(x) read_from_ptr(TO_VOID(x))
+#define READ_INTP(x) TO_INTP(READ(x))
+int
+PyArray_Broadcast_part1(void *mit);
+
/* Adjust dimensionality and strides for index object iterators
--- i.e. broadcast
*/
@@ -1161,31 +1192,34 @@ NPY_NO_EXPORT int
PyArray_Broadcast(PyArrayMultiIterObject *mit)
{
int i, nd, k, j;
- npy_intp tmp;
+ npy_intp tmp, tmp2;
@@ -1164,36 +1167,8 @@ PyArray_Broadcast(PyArrayMultiIterObject *mit)
npy_intp tmp;
PyArrayIterObject *it;
+ PyArrayIterObject **it_ptr;

- /* Discover the broadcast number of dimensions */
- for (i = 0, nd = 0; i < mit->numiter; i++) {
- nd = PyArray_MAX(nd, PyArray_NDIM(mit->iters[i]->ao));
- }
+ nd = PyArray_Broadcast_GetNd(mit);
mit->nd = nd;

/* Discover the broadcast shape in each dimension */
for (i = 0; i < nd; i++) {
mit->dimensions[i] = 1;
- mit->nd = nd;
-
- /* Discover the broadcast shape in each dimension */
- for (i = 0; i < nd; i++) {
- mit->dimensions[i] = 1;
- for (j = 0; j < mit->numiter; j++) {
- it = mit->iters[j];
+ }
+
+ it_ptr = &mit->iters[0];
+ for (j = 0; j < mit->numiter; j++, it_ptr++) {
+ it = *it_ptr;
+ for (i = 0; i < nd; i++) {
/* This prepends 1 to shapes not already equal to nd */
k = i + PyArray_NDIM(it->ao) - nd;
if (k >= 0) {
- /* This prepends 1 to shapes not already equal to nd */
- k = i + PyArray_NDIM(it->ao) - nd;
- if (k >= 0) {
- tmp = PyArray_DIMS(it->ao)[k];
+ tmp = READ_INTP(&PyArray_DIMS(it->ao)[k]);
if (tmp == 1) {
continue;
}
- if (tmp == 1) {
- continue;
- }
- if (mit->dimensions[i] == 1) {
- mit->dimensions[i] = tmp;
+ tmp2 = READ_INTP(&mit->dimensions[i]);
+ if (tmp2 == 1) {
+ WRITE(&mit->dimensions[i], tmp);
}
- }
- else if (mit->dimensions[i] != tmp) {
+ else if (tmp2 != tmp) {
PyErr_SetString(PyExc_ValueError,
"shape mismatch: objects" \
" cannot be broadcast" \
- PyErr_SetString(PyExc_ValueError,
- "shape mismatch: objects" \
- " cannot be broadcast" \
- " to a single shape");
- return -1;
- }
- }
- }
+ if(PyArray_Broadcast_part1((void*)mit) == -1){
+ return -1;
}

/*
--
2.17.1

124 changes: 124 additions & 0 deletions src/core/PyArray_Broadcast.c
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
#define PY_SSIZE_T_CLEAN
#include "Python.h"

#include "error_handling.h"

static void
set_shape_mismatch_err()
{
PyErr_SetString(PyExc_ValueError,
"shape mismatch: objects"
" cannot be broadcast"
" to a single shape");
}

EM_JS_NUM(int, PyArray_Broadcast_part1, (void* mit), {
let i, nd, k, j;
let tmp, tmp2;
let it;
let it_ptr;

let numiter = _HEAP32[(mit + 8) / 4];
/* Discover the broadcast number of dimensions */
nd = 0;
for (i = 0; i < numiter; i++) {
// nd = PyArray_MAX(nd, PyArray_NDIM(mit->iters[i]->ao));
let it = _HEAP32[(mit + 152 + 4 * i) / 4];
// Look up ao
let it_ao = _HEAP32[(res + 660) / 4];
// look up NDIM
let it_ao_ndim = _HEAP32[(res + 12) / 4];
nd = (res > nd) ? res : nd;
}
// mit->nd = nd;
_HEAP32[(mit + 20) / 4] = nd;

/* Discover the broadcast shape in each dimension */
// for (i = 0; i < nd; i++) {
// mit->dimensions[i] = 1;
// }
_HEAP32.subarray((mit + 24) / 4, (mit + 24 + nd) / 4).fill(1);

for (j = 0; j < numiter; j++) {
// it = mit->iters[i];
it = _HEAP32[(mit + 4 * j + 152) / 4];
for (i = 0; i < nd; i++) {
/* This prepends 1 to shapes not already equal to nd */
// k = i + PyArray_NDIM(it->ao) - nd;
let it_ao = _HEAP32[(it + 660) / 4];
let it_ao_ndim = _HEAP32[(ao + 12) / 4];
let k = i + it_ao_ndim - nd;
if (k >= 0) {
// tmp = PyArray_DIMS(it->ao)[k];
let it_dims = _HEAP32[(it_ao + 16) / 4];
let it_dims_k = _HEAP32[(it_dims + 4 * k) / 4];
if (it_dims_k == 1) {
continue;
}
// &mit->dimensions[i];
let mit_dim_i_addr = mit + 4 * i + 24;
// let tmp2 = mit->dimensions[i];
let mit_dim_i = _HEAP32[mit_dim_i_addr / 4];
if (mit_dim_i == = 1) {
_HEAP32[mit_dim_i_addr / 4] = it_dims_k;
} else if (mit_dim_i != = it_dims_k) {
_set_shape_mismatch_err();
return -1;
}
}
}
}
})

// int
// PyArray_Broadcast_inner2(void *mit){
// {
// /*
// * Reset the iterator dimensions and strides of each iterator
// * object -- using 0 valued strides for broadcasting
// * Need to check for overflow
// */
// tmp = PyArray_OverflowMultiplyList(mit->dimensions, mit->nd);
// if (tmp < 0) {
// PyErr_SetString(PyExc_ValueError,
// "broadcast dimensions too large.");
// return -1;
// }
// mit->size = tmp;
// }

// EM_JS(
// int,
// PyArray_Broadcast_inner1, (void *mit) {
// for (i = 0; i < mit->numiter; i++) {
// it = mit->iters[i];
// it->nd_m1 = mit->nd - 1;
// it->size = tmp;
// nd = PyArray_NDIM(it->ao);
// if (nd != 0) {
// it->factors[mit->nd-1] = 1;
// }
// for (j = 0; j < mit->nd; j++) {
// it->dims_m1[j] = mit->dimensions[j] - 1;
// k = j + nd - mit->nd;
// /*
// * If this dimension was added or shape of
// * underlying array was 1
// */
// if ((k < 0) ||
// PyArray_DIMS(it->ao)[k] != mit->dimensions[j]) {
// it->contiguous = 0;
// it->strides[j] = 0;
// }
// else {
// it->strides[j] = PyArray_STRIDES(it->ao)[k];
// }
// it->backstrides[j] = it->strides[j] * it->dims_m1[j];
// if (j > 0)
// it->factors[mit->nd-j-1] =
// it->factors[mit->nd-j] * mit->dimensions[mit->nd-j];
// }
// PyArray_ITER_RESET(it);
// }
// return 0;
// });