fix x86 crash

[frank-dong-ms-zz]

fixes #1216.

TreeEnsembleCombiner has a bug that causing byte array out of range and corrupts heap

[codecov]

Codecov Report

Merging #5081 into master will increase coverage by 0.00%.
The diff coverage is 100.00%.

@@           Coverage Diff           @@
##           master    #5081   +/-   ##
=======================================
  Coverage   75.66%   75.66%           
=======================================
  Files         993      993           
  Lines      178157   178157           
  Branches    19125    19125           
=======================================
+ Hits       134800   134805    +5     
+ Misses      38136    38134    -2     
+ Partials     5221     5218    -3     

Flag	Coverage Δ
#Debug	75.66% <100.00%> (+<0.01%)	⬆️
#production	71.64% <100.00%> (+<0.01%)	⬆️
#test	88.67% <ø> (ø)

Impacted Files	Coverage Δ
...est/Microsoft.ML.Predictor.Tests/TestPredictors.cs	70.07% <ø> (ø)
...t.ML.FastTree/TreeEnsemble/TreeEnsembleCombiner.cs	83.09% <100.00%> (ø)
...icrosoft.ML.AutoML/Experiment/SuggestedPipeline.cs	88.65% <0.00%> (-4.13%)	⬇️
....ML.AutoML/PipelineSuggesters/PipelineSuggester.cs	86.55% <0.00%> (-0.85%)	⬇️
...soft.ML.Data/DataLoadSave/Text/TextLoaderCursor.cs	88.93% <0.00%> (-0.21%)	⬇️
...soft.ML.Transforms/Text/WordEmbeddingsExtractor.cs	87.52% <0.00%> (ø)
src/Microsoft.ML.Sweeper/AsyncSweeper.cs	73.97% <0.00%> (+1.36%)	⬆️
...rosoft.ML.AutoML/ColumnInference/TextFileSample.cs	65.56% <0.00%> (+5.96%)	⬆️

[mstfbl]

Clean fix!

[harishsk]

Interesting. Can you please explain this issue a bit more? Why does this happen in x64 but not in x86? This is managed memory. Why is it corrupting the unamanaged heap?

[frank-dong-ms-zz]

Yes, this is index out of range issue that corrupts memory but this one is index was out of range in former (start to use byte array from index -1)...
This memory corrupted (byte array) is allocated in managed but used as unmanaged (from fixed section in C# and pointer) like below:
https://github.com/dotnet/machinelearning/blob/master/src/Microsoft.ML.FastTree/TreeEnsemble/InternalRegressionTree.cs#L101
https://github.com/dotnet/machinelearning/blob/master/src/Microsoft.ML.FastTree/Utils/ToByteArrayExtensions.cs#L113
when position is -1, the pointer ((int*)(pBuffer + position)) is accessing memory it should not.

I'm still not sure why this issue not repro in x64. In theory this can also corrupt x64 memory.

---

In reply to: 419011127 [](ancestors = 419011127)

[sharwell]

SZArrays on x64 have a 4-byte padding between the length and the start of the data.

https://github.com/dotnet/runtime/blob/200b197559fc49f91b8db3f20fd6df6b5660d7bf/src/coreclr/src/System.Private.CoreLib/src/System/Runtime/CompilerServices/RuntimeHelpers.CoreCLR.cs#L306-L321

[sharwell]

I suspected this was the issue from reading above, but special thanks to @stephentoub for finding the actual code that proves it 👍

[harishsk]

@eerhardt also confirmed this in email.
@sharwell, @stephentoub and @eerhardt Thanks for shedding more light on the issue.