#126 OSDI array parameters lead to segmentation fault
I am an engineer at Quantum Motion, and I was testing the OSDI interface and its implementation in ngspice. While doing so, I seem to have bumped into a memory corruption bug in how the simulator parses and handles array parameters provided to a model.
Tested against the current stable release (45+) and the pre-master-46 branch compiled from source, the simulator fails with a segmentation fault any time a .model line tries to specify the value of an array parameter.
I have done some digging through the codebase, and I have pinpointed the issue to a double cause:
* during parsing in /src/spicelib/parser/inpgmod.c, the syntax for an OSDI model int he case of array parameters (param_name=[...]) was not handled correctly, causing a null-pointer dereference;
* when accessing model parameters in /src/osdi/osdiparam.c, the pointer to the data provided by the model was dereferenced incorrectly;
I have put together a small patch that fixed the issues, as well as a MWE with an OSDI model (implemented directly in C) and relative netlists to test the fix. The tests cause a segmentation fault in ngspice on the current version, while they run correctly after applying the patch.
Please let me know if I can help in any way! :)
As a PS, OSDI technically supports string-array params. However, to the best of my understanding, there is currently no spice syntax for string arrays in SPICE (e.g. [ "A" "B" ]), so I have explicitly left them out of the test.
Thanks for the patch!
I will have a look.
I have uploaded the patch to branch pre-master-46.
Thanks to your excellent preparation of the test bench, I have been able to verify your patch quickly in my MINGW/VisualStudio environment.
Your model is a nice template for using the OSDI interface outside of OpenVAF. Up to now I have never thought of creating C-coded models for this interface.
May I use the model for some "advertising" of this concept?
Thanks! Glad that the test model was helpful! :)
And please do! I took some inspiration from the semimod OSDI manual where they show a (relatively outdated) potential C transpilation of a diode. Because I was trying to understand whether the issue was in ngspice or in OpenVAF, I found it particularly useful to bypass the VA compiltion and implement a test in C directly.