heap-buffer-overflow in MPQualityEnhancerFilter::filterCousins()

[dan131riley]

Found in ASAN, possibly here:

cmssw/L1Trigger/DTTriggerPhase2/src/MPQualityEnhancerFilter.cc

Line 123 in 0f7bef7

if (areCousins(inMPaths[i], inMPaths[i + 1]) != 0) {

Truncated ASAN report:

==29332==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e0008ed400 at pc 0x2b0dc1120f09 bp 0x7ffcb07fc3b0 sp 0x7ffcb07fc3a8
READ of size 184 at 0x61e0008ed400 thread T0
    #0 0x2b0dc1120f08 in MPQualityEnhancerFilter::filterCousins(std::vector<cmsdt::metaPrimitive, std::allocator<cmsdt::metaPrimitive> >&, std::vector<cmsdt::metaPrimitive, std::allocator<cmsdt::metaPrimitive> >&) (/cvmfs/cms-ib.cern.ch/nweek-02749/el8_amd64_gcc10/cms/cmssw/CMSSW_12_6_ASAN_X_2022-09-07-1100/lib/el8_amd64_gcc10/libL1TriggerDTTriggerPhase2.so+0x95f08)
    #1 0x2b0dc1121229 in MPQualityEnhancerFilter::run(edm::Event&, edm::EventSetup const&, std::vector<cmsdt::metaPrimitive, std::allocator<cmsdt::metaPrimitive> >&, std::vector<cmsdt::metaPrimitive, std::allocator<cmsdt::metaPrimitive> >&) (/cvmfs/cms-ib.cern.ch/nweek-02749/el8_amd64_gcc10/cms/cmssw/CMSSW_12_6_ASAN_X_2022-09-07-1100/lib/el8_amd64_gcc10/libL1TriggerDTTriggerPhase2.so+0x96229)
    #2 0x2b0dbf81468b in DTTrigPhase2Prod::produce(edm::Event&, edm::EventSetup const&) (/cvmfs/cms-ib.cern.ch/nweek-02749/el8_amd64_gcc10/cms/cmssw/CMSSW_12_6_ASAN_X_2022-09-07-1100/lib/el8_amd64_gcc10/pluginL1TriggerDTTrigPhase2Plugins.so+0x5768b)

0x61e0008ed400 is located 0 bytes to the right of 2944-byte region [0x61e0008ec880,0x61e0008ed400)
allocated by thread T0 here:
    #0 0x2b0d68e5c607 in operator new(unsigned long) ../../../../libsanitizer/asan/asan_new_delete.cpp:99
    #1 0x2b0dc11475a3 in void std::vector<cmsdt::metaPrimitive, std::allocator<cmsdt::metaPrimitive> >::_M_realloc_insert<cmsdt::metaPrimitive>(__gnu_cxx::__normal_iterator<cmsdt::metaPrimitive*, std::vector<cmsdt::metaPrimitive, std::allocator<cmsdt::metaPrimitive> > >, cmsdt::metaPrimitive&&) (/cvmfs/cms-ib.cern.ch/nweek-02749/el8_amd64_gcc10/cms/cmssw/CMSSW_12_6_ASAN_X_2022-09-07-1100/lib/el8_amd64_gcc10/libL1TriggerDTTriggerPhase2.so+0xbc5a3)
    #2 0x2b0dc113de9d in MuonPathAnalyticAnalyzer::segment_fitter(DTSuperLayerId, int*, int*, int*, int*, int*, LATCOMB_CONSTANTS, int*, int, int, std::vector<cmsdt::metaPrimitive, std::allocator<cmsdt::metaPrimitive> >&) (/cvmfs/cms-ib.cern.ch/nweek-02749/el8_amd64_gcc10/cms/cmssw/CMSSW_12_6_ASAN_X_2022-09-07-1100/lib/el8_amd64_gcc10/libL1TriggerDTTriggerPhase2.so+0xb2e9d)
    #3 0x2b0dc1140d35 in MuonPathAnalyticAnalyzer::analyze(std::shared_ptr<MuonPath>&, std::vector<cmsdt::metaPrimitive, std::allocator<cmsdt::metaPrimitive> >&) (/cvmfs/cms-ib.cern.ch/nweek-02749/el8_amd64_gcc10/cms/cmssw/CMSSW_12_6_ASAN_X_2022-09-07-1100/lib/el8_amd64_gcc10/libL1TriggerDTTriggerPhase2.so+0xb5d35)
    #4 0x2b0dc11436fa in MuonPathAnalyticAnalyzer::run(edm::Event&, edm::EventSetup const&, std::vector<std::shared_ptr<MuonPath>, std::allocator<std::shared_ptr<MuonPath> > >&, std::vector<cmsdt::metaPrimitive, std::allocator<cmsdt::metaPrimitive> >&) (/cvmfs/cms-ib.cern.ch/nweek-02749/el8_amd64_gcc10/cms/cmssw/CMSSW_12_6_ASAN_X_2022-09-07-1100/lib/el8_amd64_gcc10/libL1TriggerDTTriggerPhase2.so+0xb86fa)
    #5 0x2b0dbf81314b in DTTrigPhase2Prod::produce(edm::Event&, edm::EventSetup const&) (/cvmfs/cms-ib.cern.ch/nweek-02749/el8_amd64_gcc10/cms/cmssw/CMSSW_12_6_ASAN_X_2022-09-07-1100/lib/el8_amd64_gcc10/pluginL1TriggerDTTrigPhase2Plugins.so+0x5614b)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/cvmfs/cms-ib.cern.ch/nweek-02749/el8_amd64_gcc10/cms/cmssw/CMSSW_12_6_ASAN_X_2022-09-07-1100/lib/el8_amd64_gcc10/libL1TriggerDTTriggerPhase2.so+0x95f08) in MPQualityEnhancerFilter::filterCousins(std::vector<cmsdt::metaPrimitive, std::allocator<cmsdt::metaPrimitive> >&, std::vector<cmsdt::metaPrimitive, std::allocator<cmsdt::metaPrimitive> >&)
Shadow bytes around the buggy address:
  0x0c3c80115a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c80115a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c80115a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c80115a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c80115a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3c80115a80:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c80115a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c80115aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c80115ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c80115ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c80115ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==29332==ABORTING

[cmsbuild]

A new Issue was created by @dan131riley Dan Riley.

@Dr15Jones, @perrotta, @dpiparo, @rappoccio, @makortel, @smuzaffar can you please review it and eventually sign/assign? Thanks.

cms-bot commands are listed here

[makortel]

assign l1

[cmsbuild]

New categories assigned: l1

@epalencia,@rekovic,@cecilecaillol you have been requested to review this Pull request/Issue and eventually sign? Thanks

[dan131riley]

Sample logs:

https://cmssdt.cern.ch/SDT/cgi-bin/logreader/el8_amd64_gcc10/CMSSW_12_6_ASAN_X_2022-09-07-1100/pyRelValMatrixLogs/run/38234.0_TTbar_14TeV+2026D85+TTbar_14TeV_TuneCP5_GenSimHLBeamSpot14+DigiTrigger+RecoGlobal+HARVESTGlobal/step2_TTbar_14TeV+2026D85+TTbar_14TeV_TuneCP5_GenSimHLBeamSpot14+DigiTrigger+RecoGlobal+HARVESTGlobal.log#/
https://cmssdt.cern.ch/SDT/cgi-bin/logreader/el8_amd64_gcc10/CMSSW_12_6_ASAN_X_2022-09-07-1100/pyRelValMatrixLogs/run/39434.75_TTbar_14TeV+2026D88_HLT75e33+TTbar_14TeV_TuneCP5_GenSimHLBeamSpot14INPUT+DigiTrigger+RecoGlobal+HLT75e33+HARVESTGlobal/step2_TTbar_14TeV+2026D88_HLT75e33+TTbar_14TeV_TuneCP5_GenSimHLBeamSpot14INPUT+DigiTrigger+RecoGlobal+HLT75e33+HARVESTGlobal.log#/
https://cmssdt.cern.ch/SDT/cgi-bin/logreader/el8_amd64_gcc10/CMSSW_12_6_ASAN_X_2022-09-07-1100/pyRelValMatrixLogs/run/39434.911_TTbar_14TeV+2026D88_DD4hep+TTbar_14TeV_TuneCP5_GenSimHLBeamSpot14+DigiTrigger+RecoGlobal+HARVESTGlobal/step2_TTbar_14TeV+2026D88_DD4hep+TTbar_14TeV_TuneCP5_GenSimHLBeamSpot14+DigiTrigger+RecoGlobal+HARVESTGlobal.log#/
https://cmssdt.cern.ch/SDT/cgi-bin/logreader/el8_amd64_gcc10/CMSSW_12_6_ASAN_X_2022-09-07-1100/pyRelValMatrixLogs/run/39634.999_TTbar_14TeV+2026D88PU_PMXS1S2PR+TTbar_14TeV_TuneCP5_GenSimHLBeamSpot14INPUT+PREMIX_PremixHLBeamSpot14PU+DigiTriggerPU+RecoGlobalPU+HARVESTGlobalPU/step3_TTbar_14TeV+2026D88PU_PMXS1S2PR+TTbar_14TeV_TuneCP5_GenSimHLBeamSpot14INPUT+PREMIX_PremixHLBeamSpot14PU+DigiTriggerPU+RecoGlobalPU+HARVESTGlobalPU.log#/

[perrotta]

urgent
(if @cms-sw/l1-l2 wants to have a decent Phase2 trigger in 12_5_X...)

[cecilecaillol]

@jaimeleonh Can you please have a look?

[cecilecaillol]

Fixed in #39411

[cecilecaillol]

+l1

[cmsbuild]

This issue is fully signed and ready to be closed.

[rappoccio]

Fixed last month, can close.