Re: [BUG] Bus error with invalid arguments to expand

[Marius Gedminas]

On Tue, Aug 27, 2013 at 01:22:21PM -0700, Manpreet Singh wrote:
> Hmm, I couldn't reproduce it with just expand this time though now
> but mkdir still crashes in f_mkdir. Stack below:
> 
> % gdb /Applications/MacVim.app/Contents/MacOS/Vim
> (gdb) set args -u NONE -U NONE +'call mkdir(expand("abc", "p", 0700))'
> (gdb) run
> Error detected while processing command line:
> Program received signal EXC_BAD_ACCESS, Could not access memory.
> Reason: KERN_PROTECTION_FAILURE at address: 0x00000001001c0d98
> 0x0000000100036a19 in f_mkdir ()
> (gdb) bt
> #0  0x0000000100036a19 in f_mkdir ()
> #1  0x0000000100025cc3 in call_func ()
> #2  0x0000000100028232 in get_func_tv ()
> #3  0x0000000100027989 in ex_call ()
> #4  0x0000000100058745 in do_one_cmd ()
> #5  0x00000001000550bf in do_cmdline ()
> #6  0x00000001001b69fd in main ()
> (gdb)

I can reproduce on Linux:

Program received signal SIGSEGV, Segmentation fault.
0x000000000046dbf7 in f_mkdir (argvars=0x7fffffffd250, rettv=0x7fffffffd420) at 
eval.c:14297
14297           *gettail_sep(dir) = NUL;
(gdb) bt
#0  0x000000000046dbf7 in f_mkdir (argvars=0x7fffffffd250, 
rettv=0x7fffffffd420) at eval.c:14297
#1  0x0000000000465383 in call_func (funcname=0x92c7a0 "mkdir", len=5, 
rettv=0x7fffffffd420, argcount=1, argvars=0x7fffffffd250, firstline=1, 
    lastline=1, doesrange=0x7fffffffd3f0, evaluate=1, selfdict=0x0) at 
eval.c:8530
#2  0x0000000000464df5 in get_func_tv (name=0x92c7a0 "mkdir", len=5, 
rettv=0x7fffffffd420, arg=0x7fffffffd3f8, firstline=1, lastline=1, 
    doesrange=0x7fffffffd3f0, evaluate=1, selfdict=0x0) at eval.c:8343
#3  0x000000000045d7cc in ex_call (eap=0x7fffffffd530) at eval.c:3460
#4  0x0000000000497caa in do_one_cmd (cmdlinep=0x7fffffffd650, sourcing=1, 
cstack=0x7fffffffd740, fgetline=0x0, cookie=0x0) at ex_docmd.c:2689
#5  0x0000000000495228 in do_cmdline (cmdline=0x7fffffffe2b6 "call 
mkdir(expand(\"abc\", \"p\", 0700))", fgetline=0x0, cookie=0x0, flags=11)
    at ex_docmd.c:1127
#6  0x0000000000494870 in do_cmdline_cmd (cmd=0x7fffffffe2b6 "call 
mkdir(expand(\"abc\", \"p\", 0700))") at ex_docmd.c:732
#7  0x000000000062715d in exe_commands (parmp=0x7fffffffdc90) at main.c:2897
#8  0x00000000006244b8 in main (argc=6, argv=0x7fffffffded8) at main.c:931
(gdb) p dir
$1 = (char_u *) 0x6305d7 ""
(gdb) p gettail(dir)
$2 = (char_u *) 0x6305d7 ""
(gdb) p gettail_sep(dir)
$3 = (char_u *) 0x6305d7 ""

It looks to me that dir is in some read-only section.

(gdb) maintenance info sections
...
    0x0062ed40->0x00666cb9 at 0x0022ed40: .rodata ALLOC LOAD READONLY DATA 
HAS_CONTENTS
...

Yup.

Looks like patch 7.4.006 needs some fixing.

Marius Gedminas
-- 
As far as we know, our computer has never had an undetected error.
                -- Weisert

signature.asc
Description: Digital signature