Hi In the todo list, I see this crash which was reported about 1 year ago:
--- 8< --- cut here --- 8< --- cut here --- 8< --- Reproducible crash in syntax HL. (George Reilly, Dominique Pelle, 2009 May 9) --- 8< --- cut here --- 8< --- cut here --- 8< --- I can still reproduce it 100% of the time with Vim-7.3a BETA on Linux as follows: 1/ download "jquery.vim" version 0.1 available at: http://www.vim.org/scripts/script.php?script_id=2416 2/ download "jquery-1.3.2.js" available at: http://jqueryjs.googlecode.com/files/jquery-1.3.2.js 3/ start vim with: vim -u NONE jquery-1.3.2.js 4/ :set nocp :syn on :so jquery.vim 5/ Go to end of file (jquery-1.3.2.js) with G in normal mode 6/ Observe that Vim takes 100% of CPU during a fairly long long time (~2 minutes on my laptop). 7/ When cursor is at end of file. Press 1G (in normal mode) to go back to top of file and G again to go back to the end of file. 8/ Observe a crash (seg fault, happens 100% of the time) Valgrind gives this stack trace: ==25132== Invalid read of size 8 ==25132== at 0x57290A: syn_current_attr (syntax.c:1888) ==25132== by 0x57270D: get_syntax_attr (syntax.c:1771) ==25132== by 0x53D2F7: win_line (screen.c:3938) ==25132== by 0x538BA5: win_update (screen.c:1775) ==25132== by 0x53642C: update_screen (screen.c:525) ==25132== by 0x4AFD21: main_loop (main.c:1128) ==25132== by 0x4AF9B2: main (main.c:955) I just found the root cause: "current_state.ga_len" reaches quite a high value and an integer overflow happens in assignment at syntax.c:1445: syntax.c: 1443 /* When overwriting an existing state stack, clear it first */ 1444 clear_syn_state(sp); 1445 sp->sst_stacksize = current_state.ga_len; current_state.ga_len is an "int" variable which contains 50855 but sp->sst_stacksize is a short! Since current_state.ga_len exceeds 32768, an overflow happens and sp->sst_stacksize becomes negative. Attached patch fixes by making sp->sst_stacksize an int rather than short. Making it an "unsigned short" is also enough to make it work. But the value 50855 is too dangerously close to 65536 so an int is safer. Vim no longer crash after the attached patch. Regards -- Dominique -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php
diff -r 00d8ddf20102 runtime/doc/todo.txt --- a/runtime/doc/todo.txt Sat May 15 17:06:53 2010 +0200 +++ b/runtime/doc/todo.txt Sat May 15 23:55:13 2010 +0200 @@ -138,8 +138,6 @@ There is no command line completion for ":lmap". -Reproducible crash in syntax HL. (George Reilly, Dominique Pelle, 2009 May 9) - Invalid read error in Farsi mode. (Dominique Pelle, 2009 Aug 2) For running gvim on an USB stick: avoid the OLE registration. Use a command @@ -752,7 +750,7 @@ Also set 'shellcmdflag' to include /s. Win32: When there is 4 Gbyte of memory mch_avail_mem() doesn't work properly. -Unfished patch by Jelle Geerts, 2008 Aug 24. +Unfinished patch by Jelle Geerts, 2008 Aug 24. Let mch_avail_mem() return Kbyte instead? Win32: With two monitors, gvim partly on both, and adding/removing a scrollbar @@ -816,7 +814,7 @@ it in keep_msg? Editing a file remotely that matches 'wildignore' results in a "no match" -error. Should only happen when there are wildards, not when giving the file +error. Should only happen when there are wildcards, not when giving the file name literally, and esp. if there is only one name. Test 61 fails sometimes. This is a timing problem: "sleep 2" sometimes takes @@ -1012,7 +1010,7 @@ Problem with 'cdpath' on MS-Windows when a directory is equal to $HOME. (2006 Jul 26, Gary Johnson) -Using UTF-8 character with ":command" does not work properly. (Matt Wosniski, +Using UTF-8 character with ":command" does not work properly. (Matt Wozniski, 2008 Sep 29) In the Netbeans interface add a "vimeval" function, so that the other side can @@ -3377,7 +3375,7 @@ and http://stud4.tuwien.ac.at/~e0125672/icomplete/ http://cedet.sourceforge.net/intellisense.shtml (for Emacs) Ivan Villanueva has something for Java. - Emads: http://www.xref-tech.com/xrefactory/more_c_completion.html + Emacs: http://www.xref-tech.com/xrefactory/more_c_completion.html Completion in .NET framework SharpDevelop: http://www.icsharpcode.net - Pre-expand abbreviations, show which abbrevs would match? diff -r 00d8ddf20102 src/structs.h --- a/src/structs.h Sat May 15 17:06:53 2010 +0200 +++ b/src/structs.h Sat May 15 23:55:13 2010 +0200 @@ -327,7 +327,7 @@ typedef struct m_info minfo_T; /* - * stucture used to link chunks in one of the free chunk lists. + * structure used to link chunks in one of the free chunk lists. */ struct m_info { @@ -795,9 +795,9 @@ garray_T sst_ga; /* growarray for long state stack */ } sst_union; int sst_next_flags; /* flags for sst_next_list */ + int sst_stacksize; /* number of states on the stack */ short *sst_next_list; /* "nextgroup" list in this state * (this is a copy, don't free it! */ - short sst_stacksize; /* number of states on the stack */ disptick_T sst_tick; /* tick when last displayed */ linenr_T sst_change_lnum;/* when non-zero, change in this line * may have made the state invalid */ @@ -2138,7 +2138,7 @@ #define SHAPE_IDX_CI 5 /* Command line Insert mode */ #define SHAPE_IDX_CR 6 /* Command line Replace mode */ #define SHAPE_IDX_O 7 /* Operator-pending mode */ -#define SHAPE_IDX_VE 8 /* Visual mode with 'seleciton' exclusive */ +#define SHAPE_IDX_VE 8 /* Visual mode with 'selection' exclusive */ #define SHAPE_IDX_CLINE 9 /* On command line */ #define SHAPE_IDX_STATUS 10 /* A status line */ #define SHAPE_IDX_SDRAG 11 /* dragging a status line */ @@ -2267,7 +2267,7 @@ /* short index; */ /* the item index within the father menu */ short menu_id; /* the menu id to which this item belong */ short submenu_id; /* the menu id of the children (could be - get throught some tricks) */ + get through some tricks) */ MenuHandle menu_handle; MenuHandle submenu_handle; #endif
