heap-buffer-overflow occurs on the conv2d of the backend wasm

[liliquan0118]

Please make sure that this is a bug. As per our
GitHub Policy,
we only address code/doc bugs, performance issues, feature requests and
build/installation issues on GitHub. tag:bug_template

System information

• Have I written custom code (as opposed to using a stock example script provided in TensorFlow.js):
• OS Platform and Distribution (e.g., Linux Ubuntu 16.04): Linux Ubuntu 20.04
• Mobile device (e.g. iPhone 8, Pixel 2, Samsung Galaxy) if the issue happens on mobile device:
• TensorFlow.js installed from (npm or script link): compile from source
• TensorFlow.js version (use command below): tfjs-4.4.0
• Browser version: Chrome 112.0.5615.121 (Official Build) (64-bit)
• Tensorflow.js Converter Version:

Describe the current behavior

When running tf.conv2d on the wasm backend with the following input:

{
"input_tensor": a tensor with shape [5,7,10,5],
"filter": a tensor with shape [11,6,5,1],
"strides":[1,1],
"pad":83,
"dataFormat":"NHWC",
"dilations":[10,7],
"dimRoundingMode":null
}

a heap buffer overflow error occurred, and the error message provided by AddressSanitizer is as follows:

The error is triggered in the function xnn_f32_igemm_ukernel_2x4__scalar+0(in xnnpack/src/f32-igemm/gen/2x4-scalar.c).

Through debugging, we found that for the above input, the info of the output tensor is

{
"memoryOffset":0x1450080,
"size":27740
}

and the data type is float32. Therefore, the maximum accessible memory address for the output tensor is 0x1450080 + 27740 * 4 = 0x1451b970. Therefore, the accessible memory range for the output tensor is [0x1450080, 0x1451b970).

However, in the function xnn_f32_igemm_ukernel_2x4__scalar+0, the address 0x1451b974 was accessed, which is beyond the valid range of the output tensor.

Describe the expected behavior
The program gives a normal numerical result and does not encounter any overflow errors.

Standalone code to reproduce the issue
Provide a reproducible test case that is the bare minimum necessary to generate
the problem. If possible, please share a link to Colab/CodePen/any notebook.

reproduce_code.zip

Other info / logs Include any logs or source code that would be helpful to
diagnose the problem. If including tracebacks, please include the full
traceback. Large logs and files should be attached.

[gaikwadrahul8]

Hi, @liliquan0118

Apologize for the delayed response and I tried to replicate the same issue from my end with your reproduce_code.zip and I'm also getting the same error message for your reference, I have added screenshot below

We'll dig more into this issue and will update you soon. Thank you!