h_east <h.east....@gmail.com> wrote:
> Hi Dominique and list,
>
> 2016-3-19(Sat) 10:01:43 UTC+9 h_east:
>> Hi,
>>
>> 2016-3-19(Sat) 5:18:03 UTC+9 Dominique Pelle:
>> > Hi
>> >
>> > afl-fuzz found another case that crashes
>> > Vim-7.4.1591 and older.
>> >
>> > $ cat > crash.vim <<EOF
>> > fun R(n)
>> > wincmd p
>> > only
>> > endfun
>> >
>> > helpgrep quickfix
>> > autocmd BufReadCmd * call R(expand("<amatch>"))
>> > let s = [""]
>> > let q = []
>> > for w in s
>> > call add(q, {'filename': 't' })
>> > call setloclist(0, q)
>> > endfor
>> > lrewind
>> > EOF
>> >
>> > $ vim -u NONE -S crash.vim
>> > Vim: Caught deadly signal SEGV
>> >
>> > Vim: Finished.
>> > Segmentation fault (core dumped)
>> >
>> > Valgrind says:
>> >
>> > ==4729== Memcheck, a memory error detector
>> > ==4729== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
>> > ==4729== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
>> > ==4729== Command: ./vim -u NONE -S crash.vim
>> > ==4729== Parent PID: 2749
>> > ==4729==
>> > ==4729== Invalid read of size 8
>> > ==4729== at 0x53CDF1: qf_jump (quickfix.c:1808)
>> > ==4729== by 0x49F6F7: do_one_cmd (ex_docmd.c:2921)
>> > ==4729== by 0x49F6F7: do_cmdline (ex_docmd.c:1107)
>> > ==4729== by 0x493951: do_source (ex_cmds2.c:3895)
>> > ==4729== by 0x4942EB: cmd_source (ex_cmds2.c:3508)
>> > ==4729== by 0x49F6F7: do_one_cmd (ex_docmd.c:2921)
>> > ==4729== by 0x49F6F7: do_cmdline (ex_docmd.c:1107)
>> > ==4729== by 0x43D891: exe_commands (main.c:2925)
>> > ==4729== by 0x43D891: main (main.c:955)
>> > ==4729== Address 0x10b4c0f8 is 40 bytes inside a block of size 64 free'd
>> > ==4729== at 0x4C2BDEC: free (in
>> > /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
>> > ==4729== by 0x53A237: qf_free (quickfix.c:2142)
>> > ==4729== by 0x53A2FC: ll_free_all (quickfix.c:953)
>> > ==4729== by 0x53C7A4: qf_free_all (quickfix.c:967)
>> > ==4729== by 0x5C0480: win_free (window.c:4726)
>> > ==4729== by 0x5C174E: win_free_mem (window.c:2614)
>> > ==4729== by 0x5C1C46: win_close (window.c:2455)
>> > ==4729== by 0x5C34C3: close_others (window.c:3429)
>> > ==4729== by 0x49F6F7: do_one_cmd (ex_docmd.c:2921)
>> > ==4729== by 0x49F6F7: do_cmdline (ex_docmd.c:1107)
>> > ==4729== by 0x474024: call_user_func (eval.c:24927)
>> > ==4729== by 0x474024: call_func (eval.c:8868)
>> > ==4729== by 0x47872F: get_func_tv (eval.c:8657)
>> > ==4729== by 0x4800FB: ex_call (eval.c:3535)
>> > ==4729== by 0x49F6F7: do_one_cmd (ex_docmd.c:2921)
>> > ==4729== by 0x49F6F7: do_cmdline (ex_docmd.c:1107)
>> > ==4729== by 0x4B52CC: apply_autocmds_group (fileio.c:9451)
>> > ==4729== by 0x4B7B77: apply_autocmds_exarg (fileio.c:9018)
>> > ==4729== by 0x4B7B77: readfile (fileio.c:383)
>> > ==4729== by 0x44517F: open_buffer (buffer.c:151)
>> > ==4729== by 0x486F8A: do_ecmd (ex_cmds.c:3768)
>> > ==4729== by 0x487330: getfile (ex_cmds.c:3190)
>> > ==4729== by 0x43FB81: buflist_getfile (buffer.c:2094)
>> > ==4729== by 0x53D026: qf_jump (quickfix.c:1798)
>> > ==4729== by 0x49F6F7: do_one_cmd (ex_docmd.c:2921)
>> > ==4729== by 0x49F6F7: do_cmdline (ex_docmd.c:1107)
>> > ==4729== by 0x493951: do_source (ex_cmds2.c:3895)
>> > ==4729== by 0x4942EB: cmd_source (ex_cmds2.c:3508)
>> > ==4729== by 0x49F6F7: do_one_cmd (ex_docmd.c:2921)
>> > ==4729== by 0x49F6F7: do_cmdline (ex_docmd.c:1107)
>> > ==4729== by 0x43D891: exe_commands (main.c:2925)
>> > ==4729== by 0x43D891: main (main.c:955)
>> > (more errors after that)
>> >
>> > Code in quickfix.c:
>> >
>> > 1424 void
>> > 1425 qf_jump(
>> > ....
>> > 1797 else
>> > !!1798 ok = buflist_getfile(qf_ptr->qf_fnum,
>> > 1799 (linenr_T)1, GETF_SETMARK |
>> > GETF_SWITCH, forceit);
>> > 1800 }
>> > 1801
>> > 1802 if (ok == OK)
>> > 1803 {
>> > 1804 /* When not switched to another buffer, still need to
>> > set pc mark */
>> > 1805 if (curbuf == old_curbuf)
>> > 1806 setpcmark();
>> > 1807
>> > !!1808 if (qf_ptr->qf_pattern == NULL)
>> >
>> > Memory used at line quickfix.c:1808 was previously freed
>> > a few lines above at quickfix.c:1798 which triggered an
>> > autocommand.
>> >
>> > I don't understand the code enough to see how to fix it.
>>
>> I've already written a patch.
>> I am writing a test now.
>>
>> Please wait for a few hours.
>
> An attached patch may fix this problem.
> I was wondering if anyone could confirm this.
>
> Thanks.
> --
> Best regards,
> Hirohito Higashi (a.k.a. h_east)
Hi Hirohito
I confirm that Vim no longer crashes after applying your patch.
Good work. Arigato!
I also noticed this item in doc/todo.txt:
===
Still using freed memory after using setloclist(). (lcd, 2014 Jul 23)
More info Jul 24. Not clear why.
===
I found where that todo item was discussed:
https://groups.google.com/forum/#!topic/vim_dev/t4ei24iwkiY
It was also using free memory in the same function qf_jump.
So I'm hoping that your patch fixes this todo item as well.
It would be nice if lcd could confirm whether his bug is also
fixed with your patch.
Regards
Dominique
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
