Re: [bug] vim-7.4.2305 crashes in bugIsChanged with NULL buf pointer
Dominique Pellé wrote: > I see that patch 7.4.2309 fixed it. Thanks. > > However, I see another case found by afl-fuzz > that still crashes in Vim-7.4.2311 with a > similar stack: > > $ cat crash2.vim > tabedit > autocmd BufUnload tabnext > f x > e y Thanks. It's hard to think of all corner cases that should be handled. -- hundred-and-one symptoms of being an internet addict: 144. You eagerly await the update of the "Cool Site of the Day." /// Bram Moolenaar -- b...@moolenaar.net -- http://www.Moolenaar.net \\\ ///sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org/// \\\help me help AIDS victims -- http://ICCF-Holland.org/// -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [bug] vim-7.4.2305 crashes in bugIsChanged with NULL buf pointer
Bram Moolenaar wrote:
> Dominique Pellé wrote:
>
>> The attached script causes vim-7.4.2305 to crash:
>>
>> $ cat crash.vim
>> new
>> tabedit
>> tabfirst
>> au BufUnload tabnext
>> q
>>
>> $ vim -u NONE -S crash.vim
>> Vim: Caught deadly signal SEGV
>> Vim: Finished.
>> Segmentation fault (core dumped)
>>
>> 3518│ int
>> 3519│ bufIsChanged(buf_T *buf)
>> 3520│ {
>> 3521│ return
>> 3522│ #ifdef FEAT_QUICKFIX
>> 3523│ !bt_dontwrite(buf) &&
>> 3524│ #endif
>> 3525├>(buf->b_changed || file_ff_differs(buf, TRUE));
>> 3526│ }
>>
>> Program received signal SIGSEGV, Segmentation fault.
>> 0x005eee37 in bufIsChanged (buf=0x0) at undo.c:3525
>> (gdb) bt
>> #0 0x005eee37 in bufIsChanged (buf=0x0) at undo.c:3525
>> #1 0x0058cd9b in draw_tabline () at screen.c:10407
>> #2 0x00579548 in update_screen (type=40) at screen.c:638
>> #3 0x006416dd in main_loop (cmdwin=0, noexmode=0) at main.c:1211
>> #4 0x006410b7 in vim_main2 () at main.c:877
>> #5 0x006407ed in main (argc=5, argv=0x7fffd7d8) at main.c:415
>>
>> (gdb) p buf
>> $1 = (buf_T *) 0x0
>>
>> It's a regression since vim-7.4.712 that comes with Ubuntu-15.10
>> does not crash. git bisect found that the bug was introduced in:
>>
>> ==
>> e59215c7dcae17b03daf39517560cfaa03314f5a is the first bad commit
>> commit e59215c7dcae17b03daf39517560cfaa03314f5a
>> Author: Bram Moolenaar
>> Date: Sun Aug 14 19:08:45 2016 +0200
>>
>> patch 7.4.2212
>> Problem:Mark " is not set when closing a window in another tab.
>> (Guraga)
>> Solution: Check all tabs for the window to be valid. (based on patch by
>> Hirohito Higashi, closes #974)
>> ==
>>
>> Crash was found by fuzzing with American fuzzy lop.
>
> Easy to reproduce, thanks.
I see that patch 7.4.2309 fixed it. Thanks.
However, I see another case found by afl-fuzz
that still crashes in Vim-7.4.2311 with a
similar stack:
$ cat crash2.vim
tabedit
autocmd BufUnload tabnext
f x
e y
$ valgrind vim -u NONE -S crash2.vim
valgrind ./vim -u NONE -S crash2.vim 2> log
==7359== Memcheck, a memory error detector
==7359== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==7359== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
==7359== Command: vim -u NONE -S crash2.vim
==7359==
==7359== Invalid read of size 4
==7359==at 0x5E3D53: bufIsChanged (undo.c:3525)
==7359==by 0x582ECD: draw_tabline (screen.c:10407)
==7359==by 0x56F8A0: update_screen (screen.c:638)
==7359==by 0x624247: main_loop (main.c:1211)
==7359==by 0x623C45: vim_main2 (main.c:877)
==7359==by 0x62338A: main (main.c:415)
==7359== Address 0xc8 is not stack'd, malloc'd or (recently) free'd
==7359==
==7359==
==7359== Process terminating with default action of signal 11
(SIGSEGV): dumping core
==7359==at 0x7E27F07: kill (syscall-template.S:81)
==7359==by 0x5376C1: may_core_dump (os_unix.c:3346)
==7359==by 0x537660: mch_exit (os_unix.c:3312)
==7359==by 0x6247F8: getout (main.c:1495)
==7359==by 0x4EF04D: preserve_exit (misc1.c:9494)
==7359==by 0x535485: deathtrap (os_unix.c:1164)
==7359==by 0x7E27CAF: ??? (in /lib/x86_64-linux-gnu/libc-2.19.so)
==7359==by 0x5E3D52: bufIsChanged (undo.c:3525)
==7359==by 0x582ECD: draw_tabline (screen.c:10407)
==7359==by 0x56F8A0: update_screen (screen.c:638)
==7359==by 0x624247: main_loop (main.c:1211)
==7359==by 0x623C45: vim_main2 (main.c:877)
Regards
Dominique
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [bug] vim-7.4.2305 crashes in bugIsChanged with NULL buf pointer
Dominique Pellé wrote:
> The attached script causes vim-7.4.2305 to crash:
>
> $ cat crash.vim
> new
> tabedit
> tabfirst
> au BufUnload tabnext
> q
>
> $ vim -u NONE -S crash.vim
> Vim: Caught deadly signal SEGV
> Vim: Finished.
> Segmentation fault (core dumped)
>
> 3518│ int
> 3519│ bufIsChanged(buf_T *buf)
> 3520│ {
> 3521│ return
> 3522│ #ifdef FEAT_QUICKFIX
> 3523│ !bt_dontwrite(buf) &&
> 3524│ #endif
> 3525├>(buf->b_changed || file_ff_differs(buf, TRUE));
> 3526│ }
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x005eee37 in bufIsChanged (buf=0x0) at undo.c:3525
> (gdb) bt
> #0 0x005eee37 in bufIsChanged (buf=0x0) at undo.c:3525
> #1 0x0058cd9b in draw_tabline () at screen.c:10407
> #2 0x00579548 in update_screen (type=40) at screen.c:638
> #3 0x006416dd in main_loop (cmdwin=0, noexmode=0) at main.c:1211
> #4 0x006410b7 in vim_main2 () at main.c:877
> #5 0x006407ed in main (argc=5, argv=0x7fffd7d8) at main.c:415
>
> (gdb) p buf
> $1 = (buf_T *) 0x0
>
> It's a regression since vim-7.4.712 that comes with Ubuntu-15.10
> does not crash. git bisect found that the bug was introduced in:
>
> ==
> e59215c7dcae17b03daf39517560cfaa03314f5a is the first bad commit
> commit e59215c7dcae17b03daf39517560cfaa03314f5a
> Author: Bram Moolenaar
> Date: Sun Aug 14 19:08:45 2016 +0200
>
> patch 7.4.2212
> Problem:Mark " is not set when closing a window in another tab.
> (Guraga)
> Solution: Check all tabs for the window to be valid. (based on patch by
> Hirohito Higashi, closes #974)
> ==
>
> Crash was found by fuzzing with American fuzzy lop.
Easy to reproduce, thanks.
--
hundred-and-one symptoms of being an internet addict:
135. You cut classes or miss work so you can stay home and browse the web.
/// Bram Moolenaar -- b...@moolenaar.net -- http://www.Moolenaar.net \\\
///sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org///
\\\help me help AIDS victims -- http://ICCF-Holland.org///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[bug] vim-7.4.2305 crashes in bugIsChanged with NULL buf pointer
Hi
The attached script causes vim-7.4.2305 to crash:
$ cat crash.vim
new
tabedit
tabfirst
au BufUnload tabnext
q
$ vim -u NONE -S crash.vim
Vim: Caught deadly signal SEGV
Vim: Finished.
Segmentation fault (core dumped)
3518│ int
3519│ bufIsChanged(buf_T *buf)
3520│ {
3521│ return
3522│ #ifdef FEAT_QUICKFIX
3523│ !bt_dontwrite(buf) &&
3524│ #endif
3525├>(buf->b_changed || file_ff_differs(buf, TRUE));
3526│ }
Program received signal SIGSEGV, Segmentation fault.
0x005eee37 in bufIsChanged (buf=0x0) at undo.c:3525
(gdb) bt
#0 0x005eee37 in bufIsChanged (buf=0x0) at undo.c:3525
#1 0x0058cd9b in draw_tabline () at screen.c:10407
#2 0x00579548 in update_screen (type=40) at screen.c:638
#3 0x006416dd in main_loop (cmdwin=0, noexmode=0) at main.c:1211
#4 0x006410b7 in vim_main2 () at main.c:877
#5 0x006407ed in main (argc=5, argv=0x7fffd7d8) at main.c:415
(gdb) p buf
$1 = (buf_T *) 0x0
It's a regression since vim-7.4.712 that comes with Ubuntu-15.10
does not crash. git bisect found that the bug was introduced in:
==
e59215c7dcae17b03daf39517560cfaa03314f5a is the first bad commit
commit e59215c7dcae17b03daf39517560cfaa03314f5a
Author: Bram Moolenaar
Date: Sun Aug 14 19:08:45 2016 +0200
patch 7.4.2212
Problem:Mark " is not set when closing a window in another tab. (Guraga)
Solution: Check all tabs for the window to be valid. (based on patch by
Hirohito Higashi, closes #974)
==
Crash was found by fuzzing with American fuzzy lop.
Regards
Dominique
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
crash.vim
Description: Binary data
