octave-3.0.3 crashes while executing 'expfit' ("free(): invalid pointer")

[John W. Eaton]

On 24-Dec-2008, Sergei Steshenko wrote:

| A probably better guess would be that it's some kind of integer index overflow.
| 
| I.e. the index is integer and not unsigned, and when it crosses the 2G
| limit it becomes negative.

Octave's Array class contains code to prevent allocations that can't
be indexed.  What happens on your system if you try

  ones (1, 1024*1024*256);

(i.e., 2GB of memory)?  I see

  octave:1> ones (1, 1024*1024*256);
  error: memory exhausted or requested size too large for range of Octave's index type -- trying to return to prompt

even on my 64-bit system since I'm not compiling with --enable-64, and
so octave_idx_type is a 32-bit signed integer.

However, it is possible that some allocation of a temporary workspace
variable in some linear algebra function does not check, and is
allocating something that is too large to index.  But I don't see how
that could happen, since I think all of those quantities should be at
least 32 bits wide.  So attempting to allocate more than 2^31 elements
would fail as the block to be allocated would be greater than 2GB.

| My wild guess there is 'new'/'malloc' somewhere which doesn't check pointer
| for NULL; on a 64 bits system memory allocation error is less likely than
| on a 32 bits system.

With very few exceptions, all allocation in Octave should use new, not
malloc.  So checking for new returning 0 is not necessary since
operator new will throw an exception if the allocation fails.

jwe