UFA非法地址访问(UFA illegal address access)

[Ligoml]

Case1: paddle.vision.ops.nms

Reproduced Case：

import paddle
import numpy as np
array = np.array([], dtype=np.float32)
boxes = paddle.to_tensor(np.reshape(array, [0]), dtype='float32')
scores = paddle.to_tensor(np.reshape(array, [2, 0]), dtype='float32')
paddle.vision.ops.nms(boxes, scores=scores, top_k=0)

Stack Trace Message：

==145596==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7a5929ce5e bp 0x7ffca7863050 sp 0x7ffca7862c40 T0)
==145596==The signal is caused by a READ memory access.
==145596==Hint: address points to the zero page.
    #0 0x7f7a5929ce5e in long phi::NMS<float>(float const*, long*, float, long) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/paddle/phi/kernels/cpu/nms_kernel.cc:37:16
    #1 0x7f7a5929ce5e in void phi::NMSKernel<float, phi::CPUContext>(phi::CPUContext const&, phi::DenseTensor const&, float, phi::DenseTensor*) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/paddle/phi/kernels/cpu/nms_kernel.cc:78:7
    #2 0x7f7a55940a48 in paddle::experimental::nms(paddle::experimental::Tensor const&, float) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/paddle/phi/api/lib/api.cc:19394:5
    #3 0x7f7a497d2bff in nms_ad_func(paddle::experimental::Tensor const&, float) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/paddle/fluid/eager/api/generated/eager_generated/forwards/dygraph_functions.cc:31754:21
    #4 0x7f7a45c33e39 in paddle::pybind::eager_api_nms(_object*, _object*, _object*) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/paddle/fluid/pybind/eager_op_function.cc:13914:48

[Ligoml]

Case2: paddle.scatter

Reproduced Case：

import paddle
import numpy as np
array = np.array([], dtype=np.float32)
x = paddle.to_tensor(np.reshape(array, [0]), dtype='float32')
index = paddle.to_tensor([1], dtype='int32')
updates = paddle.to_tensor([1.1], dtype='float32')
paddle.scatter(x, index, updates)

Stack Trace Message：

AddressSanitizer:DEADLYSIGNAL
=================================================================
==37775==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x7f9d14613c5b bp 0x7ffc867b6a30 sp 0x7ffc867b61e8 T0)
==37775==The signal is caused by a WRITE memory access.
==37775==Hint: address points to the zero page.
    #0 0x7f9d14613c5b  /build/glibc-S7Ft5T/glibc-2.23/string/../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:148
    #1 0x7f9d15736391 in __asan_memcpy (/home/work/wangying/paddlepaddle/pdpd_fuzz_protobuf/pdpd-env/clang_pd_fuzz_env/lib/python3.8/site-packages/asan_with_fuzzer.so+0x136391)
    #2 0x7f9c5ed72aa0 in void phi::funcs::ScatterAssign<float, int>(phi::CPUContext const&, phi::DenseTensor const&, phi::DenseTensor const&, phi::DenseTensor*) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/paddle/phi/kernels/funcs/scatter.h:137:5
    #3 0x7f9c5ed712f4 in void phi::ScatterKernel<float, phi::CPUContext>(phi::CPUContext const&, phi::DenseTensor const&, phi::DenseTensor const&, phi::DenseTensor const&, bool, phi::DenseTensor*) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/paddle/phi/kernels/cpu/scatter_kernel.cc:47:7
    #4 0x7f9c5cec3107 in paddle::experimental::scatter(paddle::experimental::Tensor const&, paddle::experimental::Tensor const&, paddle::experimental::Tensor const&, bool) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/paddle/phi/api/lib/api.cc:22230:5
    #5 0x7f9c50dd352c in scatter_ad_func(paddle::experimental::Tensor const&, paddle::experimental::Tensor const&, paddle::experimental::Tensor const&, bool) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/paddle/fluid/eager/api/generated/eager_generated/forwards/dygraph_functions.cc:36287:21
    #6 0x7f9c4d1bb8c1 in paddle::pybind::eager_api_scatter(_object*, _object*, _object*) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/paddle/fluid/pybind/eager_op_function.cc:16120:66
    #7 0x5025f3 in PyCFunction_Call (/usr/bin/python3.8+0x5025f3)
    #8 0x500db4 in _PyObject_MakeTpCall (/usr/bin/python3.8+0x500db4)
    #9 0x566223 in _PyEval_EvalFrameDefault (/usr/bin/python3.8+0x566223)
    #10 0x55f470 in _PyEval_EvalCodeWithName (/usr/bin/python3.8+0x55f470)
    #11 0x5016c5 in _PyFunction_Vectorcall (/usr/bin/python3.8+0x5016c5)
    #12 0x564f2d in _PyEval_EvalFrameDefault (/usr/bin/python3.8+0x564f2d)
    #13 0x55f470 in _PyEval_EvalCodeWithName (/usr/bin/python3.8+0x55f470)
    #14 0x55f102 in PyEval_EvalCode (/usr/bin/python3.8+0x55f102)
    #15 0x62a1ef  (/usr/bin/python3.8+0x62a1ef)
    #16 0x62a179  (/usr/bin/python3.8+0x62a179)
    #17 0x47a7f2  (/usr/bin/python3.8+0x47a7f2)
    #18 0x47a5cb in PyRun_SimpleFileExFlags (/usr/bin/python3.8+0x47a5cb)
    #19 0x4247dc in _init (/usr/bin/python3.8+0x4247dc)
    #20 0x5fb9b8 in Py_BytesMain (/usr/bin/python3.8+0x5fb9b8)
    #21 0x7f9d144e683f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
    #22 0x5fb8b8 in _start (/usr/bin/python3.8+0x5fb8b8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-S7Ft5T/glibc-2.23/string/../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:148 
==37775==ABORTING

[Ligoml]

Case3: paddle.crop

Reproduced Case：

import paddle
x = paddle.to_tensor([1.1], dtype='float32')
paddle.crop(x, shape=[33554432], offsets=[-2147483647])

Stack Trace Message：

AddressSanitizer:DEADLYSIGNAL
=================================================================
==91236==ERROR: AddressSanitizer: SEGV on unknown address 0x7f055986e844 (pc 0x7f08170f47be bp 0x7ffdbb9732f0 sp 0x7ffdbb973020 T0)
==91236==The signal is caused by a READ memory access.
    #0 0x7f08170f47be in float vector[4] Eigen::internal::ploadu<float vector[4]>(Eigen::internal::unpacket_traits<float vector[4]>::type const*) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/build/third_party/eigen3/src/extern_eigen3/unsupported/Eigen/CXX11/../../../Eigen/src/Core/arch/SSE/PacketMath.h:740:10
    #1 0x7f08170f47be in float vector[4] Eigen::internal::ploadt<float vector[4], 0>(Eigen::internal::unpacket_traits<float vector[4]>::type const*) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/build/third_party/eigen3/src/extern_eigen3/unsupported/Eigen/CXX11/../../../Eigen/src/Core/GenericPacketMath.h:841:12
    #2 0x7f08170f47be in float vector[4] Eigen::internal::ploadt_ro<float vector[4], 0>(Eigen::internal::unpacket_traits<float vector[4]>::type const*) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/build/third_party/eigen3/src/extern_eigen3/unsupported/Eigen/CXX11/../../../Eigen/src/Core/GenericPacketMath.h:863:10
    #3 0x7f08170f47be in float vector[4] Eigen::TensorEvaluator<Eigen::TensorMap<Eigen::Tensor<float, 1, 1, long> const, 0, Eigen::MakePointer> const, Eigen::DefaultDevice>::packet<0>(long) const /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/build/third_party/eigen3/src/extern_eigen3/unsupported/Eigen/CXX11/src/Tensor/TensorEvaluator.h:298:12
    #4 0x7f08170f47be in Eigen::internal::TensorBlockAssignment<float, 1, Eigen::TensorMap<Eigen::Tensor<float, 1, 1, long> const, 0, Eigen::MakePointer>, long>::InnerDimAssign<true, Eigen::TensorEvaluator<Eigen::TensorMap<Eigen::Tensor<float, 1, 1, long> const, 0, Eigen::MakePointer> const, Eigen::DefaultDevice> >::Run(float*, long, Eigen::TensorEvaluator<Eigen::TensorMap<Eigen::Tensor<float, 1, 1, long> const, 0, Eigen::MakePointer> const, Eigen::DefaultDevice> const&, long) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/build/third_party/eigen3/src/extern_eigen3/unsupported/Eigen/CXX11/src/Tensor/TensorBlock.h:1418:36
    #5 0x7f08170f47be in Eigen::internal::TensorBlockAssignment<float, 1, Eigen::TensorMap<Eigen::Tensor<float, 1, 1, long> const, 0, Eigen::MakePointer>, long>::Run(Eigen::internal::TensorBlockAssignment<float, 1, Eigen::TensorMap<Eigen::Tensor<float, 1, 1, long> const, 0, Eigen::MakePointer>, long>::Target const&, Eigen::TensorMap<Eigen::Tensor<float, 1, 1, long> const, 0, Eigen::MakePointer> const&) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/build/third_party/eigen3/src/extern_eigen3/unsupported/Eigen/CXX11/src/Tensor/TensorBlock.h:1522:7
    #6 0x7f08170f47be in void Eigen::TensorEvaluator<Eigen::TensorMap<Eigen::Tensor<float, 1, 1, long>, 0, Eigen::MakePointer>, Eigen::DefaultDevice>::writeBlock<Eigen::internal::TensorMaterializedBlock<float, 1, 1, long> >(Eigen::internal::TensorBlockDescriptor<1, long> const&, Eigen::internal::TensorMaterializedBlock<float, 1, 1, long> const&) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/build/third_party/eigen3/src/extern_eigen3/unsupported/Eigen/CXX11/src/Tensor/TensorEvaluator.h:174:5
    #7 0x7f08170f47be in Eigen::TensorEvaluator<Eigen::TensorAssignOp<Eigen::TensorMap<Eigen::Tensor<float, 1, 1, long>, 0, Eigen::MakePointer>, Eigen::TensorSlicingOp<Eigen::DSizes<long, 1> const, Eigen::DSizes<long, 1> const, Eigen::TensorMap<Eigen::Tensor<float const, 1, 1, long>, 0, Eigen::MakePointer> const> const> const, Eigen::DefaultDevice>::evalBlock(Eigen::internal::TensorBlockDescriptor<1, long>&, Eigen::internal::TensorBlockScratchAllocator<Eigen::DefaultDevice>&) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/build/third_party/eigen3/src/extern_eigen3/unsupported/Eigen/CXX11/src/Tensor/TensorAssign.h:224:18
    #8 0x7f08170f47be in Eigen::internal::TensorExecutor<Eigen::TensorAssignOp<Eigen::TensorMap<Eigen::Tensor<float, 1, 1, long>, 0, Eigen::MakePointer>, Eigen::TensorSlicingOp<Eigen::DSizes<long, 1> const, Eigen::DSizes<long, 1> const, Eigen::TensorMap<Eigen::Tensor<float const, 1, 1, long>, 0, Eigen::MakePointer> const> const> const, Eigen::DefaultDevice, true, (Eigen::internal::TiledEvaluation)1>::run(Eigen::TensorAssignOp<Eigen::TensorMap<Eigen::Tensor<float, 1, 1, long>, 0, Eigen::MakePointer>, Eigen::TensorSlicingOp<Eigen::DSizes<long, 1> const, Eigen::DSizes<long, 1> const, Eigen::TensorMap<Eigen::Tensor<float const, 1, 1, long>, 0, Eigen::MakePointer> const> const> const&, Eigen::DefaultDevice const&) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/build/third_party/eigen3/src/extern_eigen3/unsupported/Eigen/CXX11/src/Tensor/TensorExecutor.h:206:19
    #9 0x7f0816c8bae6 in Eigen::TensorDevice<Eigen::TensorMap<Eigen::Tensor<float, 1, 1, long>, 0, Eigen::MakePointer>, Eigen::DefaultDevice>& Eigen::TensorDevice<Eigen::TensorMap<Eigen::Tensor<float, 1, 1, long>, 0, Eigen::MakePointer>, Eigen::DefaultDevice>::operator=<Eigen::TensorSlicingOp<Eigen::DSizes<long, 1> const, Eigen::DSizes<long, 1> const, Eigen::TensorMap<Eigen::Tensor<float const, 1, 1, long>, 0, Eigen::MakePointer> const> >(Eigen::TensorSlicingOp<Eigen::DSizes<long, 1> const, Eigen::DSizes<long, 1> const, Eigen::TensorMap<Eigen::Tensor<float const, 1, 1, long>, 0, Eigen::MakePointer> const> const&) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/build/third_party/eigen3/src/extern_eigen3/unsupported/Eigen/CXX11/src/Tensor/TensorDevice.h:37:7
    #10 0x7f0816c8bae6 in phi::funcs::EigenSlice<Eigen::DefaultDevice, float, 1>::Eval(Eigen::DefaultDevice const&, Eigen::TensorMap<Eigen::Tensor<float, 1, 1, long>, 0, Eigen::MakePointer>, Eigen::TensorMap<Eigen::Tensor<float const, 1, 1, long>, 0, Eigen::MakePointer> const&, Eigen::DSizes<long, 1> const&, Eigen::DSizes<long, 1> const&) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/paddle/phi/kernels/funcs/eigen/slice.cc:42:21
    #11 0x7f081f472425 in void phi::CropTensorFunction<phi::CPUContext, float, 1ul>(phi::CPUContext const&, phi::DenseTensor const&, paddle::experimental::IntArrayBase<phi::DenseTensor> const&, paddle::experimental::IntArrayBase<phi::DenseTensor> const&, phi::DenseTensor*) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/paddle/phi/kernels/impl/crop_kernel_impl.h:125:3
    #12 0x7f081f46fd53 in void phi::CropKernel<float, phi::CPUContext>(phi::CPUContext const&, phi::DenseTensor const&, paddle::experimental::IntArrayBase<phi::DenseTensor> const&, paddle::experimental::IntArrayBase<phi::DenseTensor> const&, phi::DenseTensor*) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/paddle/phi/kernels/impl/crop_kernel_impl.h:154:7
    #13 0x7f08199ef831 in paddle::experimental::crop(paddle::experimental::Tensor const&, paddle::experimental::IntArrayBase<paddle::experimental::Tensor> const&, paddle::experimental::IntArrayBase<paddle::experimental::Tensor> const&) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/paddle/phi/api/lib/api.cc:9858:5
    #14 0x7f080d6db4fa in crop_ad_func(paddle::experimental::Tensor const&, paddle::experimental::IntArrayBase<paddle::experimental::Tensor>, paddle::experimental::IntArrayBase<paddle::experimental::Tensor>) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/paddle/fluid/eager/api/generated/eager_generated/forwards/dygraph_functions.cc:17115:21
    #15 0x7f0809cf8f37 in paddle::pybind::eager_api_crop(_object*, _object*, _object*) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/paddle/fluid/pybind/eager_op_function.cc:7193:53
    #16 0x5025f3 in PyCFunction_Call (/usr/bin/python3.8+0x5025f3)
    #17 0x500db4 in _PyObject_MakeTpCall (/usr/bin/python3.8+0x500db4)
    #18 0x566223 in _PyEval_EvalFrameDefault (/usr/bin/python3.8+0x566223)
    #19 0x55f470 in _PyEval_EvalCodeWithName (/usr/bin/python3.8+0x55f470)
    #20 0x5016c5 in _PyFunction_Vectorcall (/usr/bin/python3.8+0x5016c5)
    #21 0x5610ed in _PyEval_EvalFrameDefault (/usr/bin/python3.8+0x5610ed)
    #22 0x55f470 in _PyEval_EvalCodeWithName (/usr/bin/python3.8+0x55f470)
    #23 0x55f102 in PyEval_EvalCode (/usr/bin/python3.8+0x55f102)
    #24 0x62a1ef  (/usr/bin/python3.8+0x62a1ef)
    #25 0x62a179  (/usr/bin/python3.8+0x62a179)
    #26 0x47a7f2  (/usr/bin/python3.8+0x47a7f2)
    #27 0x47a5cb in PyRun_SimpleFileExFlags (/usr/bin/python3.8+0x47a5cb)
    #28 0x4247dc in _init (/usr/bin/python3.8+0x4247dc)
    #29 0x5fb9b8 in Py_BytesMain (/usr/bin/python3.8+0x5fb9b8)
    #30 0x7f08d11e883f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
    #31 0x5fb8b8 in _start (/usr/bin/python3.8+0x5fb8b8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/build/third_party/eigen3/src/extern_eigen3/unsupported/Eigen/CXX11/../../../Eigen/src/Core/arch/SSE/PacketMath.h:740:10 in float vector[4] Eigen::internal::ploadu<float vector[4]>(Eigen::internal::unpacket_traits<float vector[4]>::type const*)
==91236==ABORTING

[Ligoml]

Case4: paddle.unbind

Reproduced Case：

import paddle
import numpy as np
array = np.array([], dtype=np.float32)
x = paddle.to_tensor(np.reshape(array, [0]), dtype='float32')
paddle.unbind(x, axis=-520093696)

Stack Trace Message：

AddressSanitizer:DEADLYSIGNAL
=================================================================
==114245==ERROR: AddressSanitizer: SEGV on unknown address 0x610f080e71f0 (pc 0x7f2e3087ec83 bp 0x7ffc1abe7e90 sp 0x7ffc1abe79a0 T0)
==114245==The signal is caused by a READ memory access.
    #0 0x7f2e3087ec83 in paddle::experimental::unbind(paddle::experimental::Tensor const&, int) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/paddle/phi/api/lib/api.cc:25379:37
    #1 0x7f2e24815f88 in unbind_ad_func(paddle::experimental::Tensor const&, int) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/paddle/fluid/eager/api/generated/eager_generated/forwards/dygraph_functions.cc:41478:21
    #2 0x7f2e20b6ffc7 in paddle::pybind::eager_api_unbind(_object*, _object*, _object*) /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/paddle/fluid/pybind/eager_op_function.cc:18392:50
    #3 0x5025f3 in PyCFunction_Call (/usr/bin/python3.8+0x5025f3)
    #4 0x500db4 in _PyObject_MakeTpCall (/usr/bin/python3.8+0x500db4)
    #5 0x566223 in _PyEval_EvalFrameDefault (/usr/bin/python3.8+0x566223)
    #6 0x55fa97 in _PyEval_EvalCodeWithName (/usr/bin/python3.8+0x55fa97)
    #7 0x5016c5 in _PyFunction_Vectorcall (/usr/bin/python3.8+0x5016c5)
    #8 0x5610ed in _PyEval_EvalFrameDefault (/usr/bin/python3.8+0x5610ed)
    #9 0x55f470 in _PyEval_EvalCodeWithName (/usr/bin/python3.8+0x55f470)
    #10 0x55f102 in PyEval_EvalCode (/usr/bin/python3.8+0x55f102)
    #11 0x62a1ef  (/usr/bin/python3.8+0x62a1ef)
    #12 0x62a179  (/usr/bin/python3.8+0x62a179)
    #13 0x47a7f2  (/usr/bin/python3.8+0x47a7f2)
    #14 0x47a5cb in PyRun_SimpleFileExFlags (/usr/bin/python3.8+0x47a5cb)
    #15 0x4247dc in _init (/usr/bin/python3.8+0x4247dc)
    #16 0x5fb9b8 in Py_BytesMain (/usr/bin/python3.8+0x5fb9b8)
    #17 0x7f2ee7e2683f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
    #18 0x5fb8b8 in _start (/usr/bin/python3.8+0x5fb8b8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/work/wangying/paddlepaddle/pdpd_source_code_new/pdpd_1109/Paddle/paddle/phi/api/lib/api.cc:25379:37 in paddle::experimental::unbind(paddle::experimental::Tensor const&, int)
==114245==ABORTING