Re: [bug] vim-7.4.2305 crashes in bugIsChanged with NULL buf pointer
Dominique Pellé wrote: > I see that patch 7.4.2309 fixed it. Thanks. > > However, I see another case found by afl-fuzz > that still crashes in Vim-7.4.2311 with a > similar stack: > > $ cat crash2.vim > tabedit > autocmd BufUnload tabnext > f x > e y Thanks. It's hard to think of all corner cases that should be handled. -- hundred-and-one symptoms of being an internet addict: 144. You eagerly await the update of the "Cool Site of the Day." /// Bram Moolenaar -- b...@moolenaar.net -- http://www.Moolenaar.net \\\ ///sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org/// \\\help me help AIDS victims -- http://ICCF-Holland.org/// -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [bug] vim-7.4.2305 crashes in bugIsChanged with NULL buf pointer
Bram Moolenaar wrote: > Dominique Pellé wrote: > >> The attached script causes vim-7.4.2305 to crash: >> >> $ cat crash.vim >> new >> tabedit >> tabfirst >> au BufUnload tabnext >> q >> >> $ vim -u NONE -S crash.vim >> Vim: Caught deadly signal SEGV >> Vim: Finished. >> Segmentation fault (core dumped) >> >> 3518│ int >> 3519│ bufIsChanged(buf_T *buf) >> 3520│ { >> 3521│ return >> 3522│ #ifdef FEAT_QUICKFIX >> 3523│ !bt_dontwrite(buf) && >> 3524│ #endif >> 3525├>(buf->b_changed || file_ff_differs(buf, TRUE)); >> 3526│ } >> >> Program received signal SIGSEGV, Segmentation fault. >> 0x005eee37 in bufIsChanged (buf=0x0) at undo.c:3525 >> (gdb) bt >> #0 0x005eee37 in bufIsChanged (buf=0x0) at undo.c:3525 >> #1 0x0058cd9b in draw_tabline () at screen.c:10407 >> #2 0x00579548 in update_screen (type=40) at screen.c:638 >> #3 0x006416dd in main_loop (cmdwin=0, noexmode=0) at main.c:1211 >> #4 0x006410b7 in vim_main2 () at main.c:877 >> #5 0x006407ed in main (argc=5, argv=0x7fffd7d8) at main.c:415 >> >> (gdb) p buf >> $1 = (buf_T *) 0x0 >> >> It's a regression since vim-7.4.712 that comes with Ubuntu-15.10 >> does not crash. git bisect found that the bug was introduced in: >> >> == >> e59215c7dcae17b03daf39517560cfaa03314f5a is the first bad commit >> commit e59215c7dcae17b03daf39517560cfaa03314f5a >> Author: Bram Moolenaar>> Date: Sun Aug 14 19:08:45 2016 +0200 >> >> patch 7.4.2212 >> Problem:Mark " is not set when closing a window in another tab. >> (Guraga) >> Solution: Check all tabs for the window to be valid. (based on patch by >> Hirohito Higashi, closes #974) >> == >> >> Crash was found by fuzzing with American fuzzy lop. > > Easy to reproduce, thanks. I see that patch 7.4.2309 fixed it. Thanks. However, I see another case found by afl-fuzz that still crashes in Vim-7.4.2311 with a similar stack: $ cat crash2.vim tabedit autocmd BufUnload tabnext f x e y $ valgrind vim -u NONE -S crash2.vim valgrind ./vim -u NONE -S crash2.vim 2> log ==7359== Memcheck, a memory error detector ==7359== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==7359== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info ==7359== Command: vim -u NONE -S crash2.vim ==7359== ==7359== Invalid read of size 4 ==7359==at 0x5E3D53: bufIsChanged (undo.c:3525) ==7359==by 0x582ECD: draw_tabline (screen.c:10407) ==7359==by 0x56F8A0: update_screen (screen.c:638) ==7359==by 0x624247: main_loop (main.c:1211) ==7359==by 0x623C45: vim_main2 (main.c:877) ==7359==by 0x62338A: main (main.c:415) ==7359== Address 0xc8 is not stack'd, malloc'd or (recently) free'd ==7359== ==7359== ==7359== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==7359==at 0x7E27F07: kill (syscall-template.S:81) ==7359==by 0x5376C1: may_core_dump (os_unix.c:3346) ==7359==by 0x537660: mch_exit (os_unix.c:3312) ==7359==by 0x6247F8: getout (main.c:1495) ==7359==by 0x4EF04D: preserve_exit (misc1.c:9494) ==7359==by 0x535485: deathtrap (os_unix.c:1164) ==7359==by 0x7E27CAF: ??? (in /lib/x86_64-linux-gnu/libc-2.19.so) ==7359==by 0x5E3D52: bufIsChanged (undo.c:3525) ==7359==by 0x582ECD: draw_tabline (screen.c:10407) ==7359==by 0x56F8A0: update_screen (screen.c:638) ==7359==by 0x624247: main_loop (main.c:1211) ==7359==by 0x623C45: vim_main2 (main.c:877) Regards Dominique -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [bug] vim-7.4.2305 crashes in bugIsChanged with NULL buf pointer
Dominique Pellé wrote: > The attached script causes vim-7.4.2305 to crash: > > $ cat crash.vim > new > tabedit > tabfirst > au BufUnload tabnext > q > > $ vim -u NONE -S crash.vim > Vim: Caught deadly signal SEGV > Vim: Finished. > Segmentation fault (core dumped) > > 3518│ int > 3519│ bufIsChanged(buf_T *buf) > 3520│ { > 3521│ return > 3522│ #ifdef FEAT_QUICKFIX > 3523│ !bt_dontwrite(buf) && > 3524│ #endif > 3525├>(buf->b_changed || file_ff_differs(buf, TRUE)); > 3526│ } > > Program received signal SIGSEGV, Segmentation fault. > 0x005eee37 in bufIsChanged (buf=0x0) at undo.c:3525 > (gdb) bt > #0 0x005eee37 in bufIsChanged (buf=0x0) at undo.c:3525 > #1 0x0058cd9b in draw_tabline () at screen.c:10407 > #2 0x00579548 in update_screen (type=40) at screen.c:638 > #3 0x006416dd in main_loop (cmdwin=0, noexmode=0) at main.c:1211 > #4 0x006410b7 in vim_main2 () at main.c:877 > #5 0x006407ed in main (argc=5, argv=0x7fffd7d8) at main.c:415 > > (gdb) p buf > $1 = (buf_T *) 0x0 > > It's a regression since vim-7.4.712 that comes with Ubuntu-15.10 > does not crash. git bisect found that the bug was introduced in: > > == > e59215c7dcae17b03daf39517560cfaa03314f5a is the first bad commit > commit e59215c7dcae17b03daf39517560cfaa03314f5a > Author: Bram Moolenaar> Date: Sun Aug 14 19:08:45 2016 +0200 > > patch 7.4.2212 > Problem:Mark " is not set when closing a window in another tab. > (Guraga) > Solution: Check all tabs for the window to be valid. (based on patch by > Hirohito Higashi, closes #974) > == > > Crash was found by fuzzing with American fuzzy lop. Easy to reproduce, thanks. -- hundred-and-one symptoms of being an internet addict: 135. You cut classes or miss work so you can stay home and browse the web. /// Bram Moolenaar -- b...@moolenaar.net -- http://www.Moolenaar.net \\\ ///sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org/// \\\help me help AIDS victims -- http://ICCF-Holland.org/// -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[bug] vim-7.4.2305 crashes in bugIsChanged with NULL buf pointer
Hi The attached script causes vim-7.4.2305 to crash: $ cat crash.vim new tabedit tabfirst au BufUnload tabnext q $ vim -u NONE -S crash.vim Vim: Caught deadly signal SEGV Vim: Finished. Segmentation fault (core dumped) 3518│ int 3519│ bufIsChanged(buf_T *buf) 3520│ { 3521│ return 3522│ #ifdef FEAT_QUICKFIX 3523│ !bt_dontwrite(buf) && 3524│ #endif 3525├>(buf->b_changed || file_ff_differs(buf, TRUE)); 3526│ } Program received signal SIGSEGV, Segmentation fault. 0x005eee37 in bufIsChanged (buf=0x0) at undo.c:3525 (gdb) bt #0 0x005eee37 in bufIsChanged (buf=0x0) at undo.c:3525 #1 0x0058cd9b in draw_tabline () at screen.c:10407 #2 0x00579548 in update_screen (type=40) at screen.c:638 #3 0x006416dd in main_loop (cmdwin=0, noexmode=0) at main.c:1211 #4 0x006410b7 in vim_main2 () at main.c:877 #5 0x006407ed in main (argc=5, argv=0x7fffd7d8) at main.c:415 (gdb) p buf $1 = (buf_T *) 0x0 It's a regression since vim-7.4.712 that comes with Ubuntu-15.10 does not crash. git bisect found that the bug was introduced in: == e59215c7dcae17b03daf39517560cfaa03314f5a is the first bad commit commit e59215c7dcae17b03daf39517560cfaa03314f5a Author: Bram MoolenaarDate: Sun Aug 14 19:08:45 2016 +0200 patch 7.4.2212 Problem:Mark " is not set when closing a window in another tab. (Guraga) Solution: Check all tabs for the window to be valid. (based on patch by Hirohito Higashi, closes #974) == Crash was found by fuzzing with American fuzzy lop. Regards Dominique -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. crash.vim Description: Binary data