Dominique Pellé <[email protected]>:
> Hi
>
> Valgrind detects access to uninitialized memory in both Vim-7.2.446 and
> Vim-7.3.c BETA (2448:943280505f72) with the i_CTRL-X_s feature: spell
> suggestion of word in front of cursor. It happens when word in front of
> cursor is only 1 letter long and a vowel. I think that vowels are ignored
> in the Soundex algorithm so variable goodsound at spell.c:14758 is an
> empty string and goodsound[1] is accessed (beyond end of string).
>
> Steps to reproduce:
>
> 1) Run:
>
> $ valgrind --num-callers=50 --track-origins=yes 2> vg.log \
> vim -u NONE -c 'set spell' -c 'call feedkeys("aa\<C-X>s")'
>
> 2) Observe following error in vg.log:
>
> ==3666== Conditional jump or move depends on uninitialised value(s)
> ==3666== at 0x81A000B: soundalike_score (spell.c:14758)
> ==3666== by 0x819CC0C: stp_sal_score (spell.c:13142)
> ==3666== by 0x819E3F2: rescore_one (spell.c:13923)
> ==3666== by 0x819E2EC: rescore_suggestions (spell.c:13896)
> ==3666== by 0x8197186: spell_suggest_intern (spell.c:10791)
> ==3666== by 0x8196D66: spell_find_suggest (spell.c:10641)
> ==3666== by 0x81966EB: spell_suggest_list (spell.c:10494)
> ==3666== by 0x81A24D5: expand_spelling (spell.c:16021)
> ==3666== by 0x806AD86: ins_compl_get_exp (edit.c:4163)
> ==3666== by 0x806B7CB: ins_compl_next (edit.c:4506)
> ==3666== by 0x806CA13: ins_complete (edit.c:5139)
> ==3666== by 0x80669EC: edit (edit.c:1366)
> ==3666== by 0x813427C: invoke_edit (normal.c:9024)
> ==3666== by 0x8134222: nv_edit (normal.c:8997)
> ==3666== by 0x8127BFB: normal_cmd (normal.c:1190)
> ==3666== by 0x80E8ECF: main_loop (main.c:1260)
> ==3666== by 0x80E8904: main (main.c:965)
> ==3666== Uninitialised value was created by a stack allocation
> ==3666== at 0x819C9BB: stp_sal_score (spell.c:13096)
Hi
I still see other Valgrind errors with spell suggestion with
Vim-7.2.446 and Vim-7.3c (2448:943280505f72) when doing:
$ valgrind --num-callers=50 --track-origins=yes 2> vg.log \
vim -u NONE -c 'set spell|call feedkeys("i,,\<C-X>s")'
==4200== Conditional jump or move depends on uninitialised value(s)
==4200== at 0x8123C84: utf_head_off (mbyte.c:3290)
==4200== by 0x8198E00: suggest_trie_walk (spell.c:11666)
==4200== by 0x8197E64: suggest_try_change (spell.c:11229)
==4200== by 0x8197100: spell_suggest_intern (spell.c:10777)
==4200== by 0x8196D1E: spell_find_suggest (spell.c:10641)
==4200== by 0x81966A3: spell_suggest_list (spell.c:10494)
==4200== by 0x81A248D: expand_spelling (spell.c:16021)
==4200== by 0x806AD4E: ins_compl_get_exp (edit.c:4163)
==4200== by 0x806B793: ins_compl_next (edit.c:4506)
==4200== by 0x806C9DB: ins_complete (edit.c:5139)
==4200== by 0x80669B4: edit (edit.c:1366)
==4200== by 0x8134208: invoke_edit (normal.c:9024)
==4200== by 0x81341AE: nv_edit (normal.c:8997)
==4200== by 0x8127B87: normal_cmd (normal.c:1190)
==4200== by 0x80E8E97: main_loop (main.c:1260)
==4200== by 0x80E88CC: main (main.c:965)
==4200== Uninitialised value was created by a stack allocation
==4200== at 0x8197D56: suggest_try_change (spell.c:11204)
Attached new patch fixes it but don't think it's ideal
since giving spell suggestion when only typing punctuation
does not make much sense.
-- Dominique
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
diff -r 943280505f72 src/spell.c
--- a/src/spell.c Sat Jul 31 22:03:44 2010 +0200
+++ b/src/spell.c Sun Aug 01 10:36:28 2010 +0200
@@ -11658,7 +11658,7 @@
* words, the edit distance and then add them. */
add_sound_suggest(su, preword, sp->ts_score, lp);
}
- else
+ else if (sp->ts_fidx > 0)
{
/* Give a penalty when changing non-word char to word
* char, e.g., "thes," -> "these". */
@@ -14755,6 +14755,8 @@
* counted so much, vowels halfway the word aren't counted at all. */
if ((*badsound == '*' || *goodsound == '*') && *badsound != *goodsound)
{
+ if (*goodsound == NUL || *badsound == NUL)
+ return SCORE_MAXMAX;
if (badsound[1] == goodsound[1]
|| (badsound[1] != NUL
&& goodsound[1] != NUL
