Re: [bug] vim-7.4.2311 crashes with deleted augroup, regression introduced by vim-7.4.2117

2016-09-03 Fir de Conversatie Bram Moolenaar 

Dominique wrote:

> afl-fuzz found another crash in Vim-7.4.2311 and older:
> 
> $ cat crash.vim
> augroup x
> augroup! x
> au VimEnter * echo
> au VimEnter
> 
> $ vim -u NONE -S crash.vim
> Vim: Caught deadly signal SEGV
> Vim: Finished.
> Segmentation fault (core dumped)
> 
> program received signal SIGSEGV, Segmentation fault.
> 0x0062cc86 in msg_puts_display (str=0x0, maxlen=-1, attr=0,
> recurse=0) at message.c:1937
> (gdb) bt
> #0  0x0062cc86 in msg_puts_display (str=0x0, maxlen=-1,
> attr=0, recurse=0) at message.c:1937
> #1  0x0062c5a3 in msg_puts_attr_len (str=0x0, maxlen=-1,
> attr=0) at message.c:1910
> #2  0x0062c4e7 in msg_puts_attr (s=0x0, attr=0) at message.c:1861
> #3  0x004ab567 in show_autocmd (ap=0x932700,
> event=EVENT_VIMENTER) at fileio.c:7816
> #4  0x004ac7a5 in do_autocmd_event (event=EVENT_VIMENTER,
> pat=0x931f8b "", nested=0, cmd=0x931f8b "", forceit=0
> , group=-3) at fileio.c:8529
> #5  0x004ac570 in do_autocmd (arg_in=0x931f83 "VimEnter",
> forceit=0) at fileio.c:8440
> #6  0x00480ca1 in ex_autocmd (eap=0x7fffcae0) at ex_docmd.c:5488
> #7  0x0047bdc7 in do_one_cmd (cmdlinep=0x7fffccf0,
> sourcing=1, cstack=0x7fffcde0, fgetline=0x4769a3  tsourceline>, cookie=0x7fffd340) at ex_docmd.c:2967
> #8  0x00478823 in do_cmdline (cmdline=0x931e70 "augroup x",
> fgetline=0x4769a3 , cookie=0x7ff
> fd340, flags=7) at ex_docmd.c:1110
> #9  0x0047659d in do_source (fname=0x931c13 "c.vim",
> check_other=0, is_vimrc=0) at ex_cmds2.c:4097
> #10 0x00475baf in cmd_source (fname=0x931c13 "c.vim",
> eap=0x7fffd550) at ex_cmds2.c:3710
> #11 0x00475afd in ex_source (eap=0x7fffd550) at ex_cmds2.c:3685
> #12 0x0047bdc7 in do_one_cmd (cmdlinep=0x7fffd760,
> sourcing=1, cstack=0x7fffd850, fgetline=0x0, cookie=
> 0x0) at ex_docmd.c:2967
> #13 0x00478823 in do_cmdline (cmdline=0x8eb7e0 "so c.vim",
> fgetline=0x0, cookie=0x0, flags=11) at ex_docmd.c:11
> 10
> #14 0x00477e5f in do_cmdline_cmd (cmd=0x8eb7e0 "so c.vim") at
> ex_docmd.c:715
> #15 0x00625ac1 in exe_commands (parmp=0x8ce200 ) at 
> main.c:2896
> #16 0x00622bee in vim_main2 () at main.c:781
> #17 0x006224ef in main (argc=6, argv=0x7fffdea8) at main.c:415
> 
> 1917│ static void
> 1918│ msg_puts_display(
> 1919│ char_u  *str,
> 1920│ int maxlen,
> 1921│ int attr,
> 1922│ int recurse)
> 1923│ {
> 1924│ char_u  *s = str;
> 1925│ char_u  *t_s = str; /* string from "t_s" to "s" is
> still todo */
> 1926│ int t_col = 0;  /* screen cells todo, 0 when
> "t_s" not used */
> 1927│ #ifdef FEAT_MBYTE
> 1928│ int l;
> 1929│ int cw;
> 1930│ #endif
> 1931│ char_u  *sb_str = str;
> 1932│ int sb_col = msg_col;
> 1933│ int wrap;
> 1934│ int did_last_char;
> 1935│
> 1936│ did_wait_return = FALSE;
> 1937├>while ((maxlen < 0 || (int)(s - str) < maxlen) && *s != NUL)
> 1938│ {
> 
> (gdb) p s
> $1 = (char_u *) 0x0
> 
> #1  0x0064ac7f in msg_puts_attr_len (str=0x0, maxlen=-1,
> attr=0) at message.c:1910
> (gdb) up
> #2  0x0064abc3 in msg_puts_attr (s=0x0, attr=0) at message.c:1861
> (gdb) up
> #3  0x004b145d in show_autocmd (ap=0x959780,
> event=EVENT_VIMENTER) at fileio.c:7816
> 
> 7815│ if (AUGROUP_NAME(ap->group) == NULL)
> 7816├>msg_puts_attr(deleted_augroup, hl_attr(HLF_E));
> 7817│ else
> 7818│ msg_puts_attr(AUGROUP_NAME(ap->group), hl_attr(HLF_T));
> 
> (gdb) p deleted_augroup
> $2 = (char_u *) 0x0
> 
> It does not crash using vim-7.4.752 that comes with xubuntu-15.10
> so it's a regression.
> 
> git bisect identified that it started to crash in Vim-7.4.2117:
> 
> ===
> f2c4c391192cab6e923b1a418d4af09106fba25f is the first bad commit
> commit f2c4c391192cab6e923b1a418d4af09106fba25f
> Author: Bram Moolenaar 
> Date:   Fri Jul 29 20:50:24 2016 +0200
> 
> patch 7.4.2117
> Problem:Deleting an augroup that still has autocmds does not give a
> warning.  The next defined augroup takes its place.
> Solution:   Give a warning and prevent the index being used for
> another group
> name.
> ===

Thanks.  Clearly using deleted_augroup this way was a bad idea.

Perhaps we should also disallow deleting an augroup while it's in use.
Can only be a mistake.

-- 
hundred-and-one symptoms of being an internet addict:
145. You e-mail your boss, informing him you'll be late.

 /// Bram Moolenaar -- b...@moolenaar.net -- http://www.Moolenaar.net   \\\
///sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\  an exciting new programming language -- http://www.Zimbu.org///
 \\\help me help AIDS victims -- http://ICCF-Holland.org///

-- 
-- 
You

[bug] vim-7.4.2311 crashes with deleted augroup, regression introduced by vim-7.4.2117

2016-09-02 Fir de Conversatie Dominique Pellé 
Hi

afl-fuzz found another crash in Vim-7.4.2311 and older:

$ cat crash.vim
augroup x
augroup! x
au VimEnter * echo
au VimEnter

$ vim -u NONE -S crash.vim
Vim: Caught deadly signal SEGV
Vim: Finished.
Segmentation fault (core dumped)

program received signal SIGSEGV, Segmentation fault.
0x0062cc86 in msg_puts_display (str=0x0, maxlen=-1, attr=0,
recurse=0) at message.c:1937
(gdb) bt
#0  0x0062cc86 in msg_puts_display (str=0x0, maxlen=-1,
attr=0, recurse=0) at message.c:1937
#1  0x0062c5a3 in msg_puts_attr_len (str=0x0, maxlen=-1,
attr=0) at message.c:1910
#2  0x0062c4e7 in msg_puts_attr (s=0x0, attr=0) at message.c:1861
#3  0x004ab567 in show_autocmd (ap=0x932700,
event=EVENT_VIMENTER) at fileio.c:7816
#4  0x004ac7a5 in do_autocmd_event (event=EVENT_VIMENTER,
pat=0x931f8b "", nested=0, cmd=0x931f8b "", forceit=0
, group=-3) at fileio.c:8529
#5  0x004ac570 in do_autocmd (arg_in=0x931f83 "VimEnter",
forceit=0) at fileio.c:8440
#6  0x00480ca1 in ex_autocmd (eap=0x7fffcae0) at ex_docmd.c:5488
#7  0x0047bdc7 in do_one_cmd (cmdlinep=0x7fffccf0,
sourcing=1, cstack=0x7fffcde0, fgetline=0x4769a3 , cookie=0x7fffd340) at ex_docmd.c:2967
#8  0x00478823 in do_cmdline (cmdline=0x931e70 "augroup x",
fgetline=0x4769a3 , cookie=0x7ff
fd340, flags=7) at ex_docmd.c:1110
#9  0x0047659d in do_source (fname=0x931c13 "c.vim",
check_other=0, is_vimrc=0) at ex_cmds2.c:4097
#10 0x00475baf in cmd_source (fname=0x931c13 "c.vim",
eap=0x7fffd550) at ex_cmds2.c:3710
#11 0x00475afd in ex_source (eap=0x7fffd550) at ex_cmds2.c:3685
#12 0x0047bdc7 in do_one_cmd (cmdlinep=0x7fffd760,
sourcing=1, cstack=0x7fffd850, fgetline=0x0, cookie=
0x0) at ex_docmd.c:2967
#13 0x00478823 in do_cmdline (cmdline=0x8eb7e0 "so c.vim",
fgetline=0x0, cookie=0x0, flags=11) at ex_docmd.c:11
10
#14 0x00477e5f in do_cmdline_cmd (cmd=0x8eb7e0 "so c.vim") at
ex_docmd.c:715
#15 0x00625ac1 in exe_commands (parmp=0x8ce200 ) at main.c:2896
#16 0x00622bee in vim_main2 () at main.c:781
#17 0x006224ef in main (argc=6, argv=0x7fffdea8) at main.c:415

1917│ static void
1918│ msg_puts_display(
1919│ char_u  *str,
1920│ int maxlen,
1921│ int attr,
1922│ int recurse)
1923│ {
1924│ char_u  *s = str;
1925│ char_u  *t_s = str; /* string from "t_s" to "s" is
still todo */
1926│ int t_col = 0;  /* screen cells todo, 0 when
"t_s" not used */
1927│ #ifdef FEAT_MBYTE
1928│ int l;
1929│ int cw;
1930│ #endif
1931│ char_u  *sb_str = str;
1932│ int sb_col = msg_col;
1933│ int wrap;
1934│ int did_last_char;
1935│
1936│ did_wait_return = FALSE;
1937├>while ((maxlen < 0 || (int)(s - str) < maxlen) && *s != NUL)
1938│ {

(gdb) p s
$1 = (char_u *) 0x0

#1  0x0064ac7f in msg_puts_attr_len (str=0x0, maxlen=-1,
attr=0) at message.c:1910
(gdb) up
#2  0x0064abc3 in msg_puts_attr (s=0x0, attr=0) at message.c:1861
(gdb) up
#3  0x004b145d in show_autocmd (ap=0x959780,
event=EVENT_VIMENTER) at fileio.c:7816

7815│ if (AUGROUP_NAME(ap->group) == NULL)
7816├>msg_puts_attr(deleted_augroup, hl_attr(HLF_E));
7817│ else
7818│ msg_puts_attr(AUGROUP_NAME(ap->group), hl_attr(HLF_T));

(gdb) p deleted_augroup
$2 = (char_u *) 0x0

It does not crash using vim-7.4.752 that comes with xubuntu-15.10
so it's a regression.

git bisect identified that it started to crash in Vim-7.4.2117:

===
f2c4c391192cab6e923b1a418d4af09106fba25f is the first bad commit
commit f2c4c391192cab6e923b1a418d4af09106fba25f
Author: Bram Moolenaar 
Date:   Fri Jul 29 20:50:24 2016 +0200

patch 7.4.2117
Problem:Deleting an augroup that still has autocmds does not give a
warning.  The next defined augroup takes its place.
Solution:   Give a warning and prevent the index being used for
another group
name.
===

Regards
Dominique

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.