Bram Moolenaar wrote: > Dominique Pellé wrote: > >> The attached script causes vim-7.4.2305 to crash: >> >> $ cat crash.vim >> new >> tabedit >> tabfirst >> au BufUnload <buffer> tabnext >> q >> >> $ vim -u NONE -S crash.vim >> Vim: Caught deadly signal SEGV >> Vim: Finished. >> Segmentation fault (core dumped) >> >> 3518│ int >> 3519│ bufIsChanged(buf_T *buf) >> 3520│ { >> 3521│ return >> 3522│ #ifdef FEAT_QUICKFIX >> 3523│ !bt_dontwrite(buf) && >> 3524│ #endif >> 3525├> (buf->b_changed || file_ff_differs(buf, TRUE)); >> 3526│ } >> >> Program received signal SIGSEGV, Segmentation fault. >> 0x00000000005eee37 in bufIsChanged (buf=0x0) at undo.c:3525 >> (gdb) bt >> #0 0x00000000005eee37 in bufIsChanged (buf=0x0) at undo.c:3525 >> #1 0x000000000058cd9b in draw_tabline () at screen.c:10407 >> #2 0x0000000000579548 in update_screen (type=40) at screen.c:638 >> #3 0x00000000006416dd in main_loop (cmdwin=0, noexmode=0) at main.c:1211 >> #4 0x00000000006410b7 in vim_main2 () at main.c:877 >> #5 0x00000000006407ed in main (argc=5, argv=0x7fffffffd7d8) at main.c:415 >> >> (gdb) p buf >> $1 = (buf_T *) 0x0 >> >> It's a regression since vim-7.4.712 that comes with Ubuntu-15.10 >> does not crash. git bisect found that the bug was introduced in: >> >> == >> e59215c7dcae17b03daf39517560cfaa03314f5a is the first bad commit >> commit e59215c7dcae17b03daf39517560cfaa03314f5a >> Author: Bram Moolenaar <b...@vim.org> >> Date: Sun Aug 14 19:08:45 2016 +0200 >> >> patch 7.4.2212 >> Problem: Mark " is not set when closing a window in another tab. >> (Guraga) >> Solution: Check all tabs for the window to be valid. (based on patch by >> Hirohito Higashi, closes #974) >> == >> >> Crash was found by fuzzing with American fuzzy lop. > > Easy to reproduce, thanks.
I see that patch 7.4.2309 fixed it. Thanks. However, I see another case found by afl-fuzz that still crashes in Vim-7.4.2311 with a similar stack: $ cat crash2.vim tabedit autocmd BufUnload <buffer> tabnext f x e y $ valgrind vim -u NONE -S crash2.vim valgrind ./vim -u NONE -S crash2.vim 2> log ==7359== Memcheck, a memory error detector ==7359== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==7359== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info ==7359== Command: vim -u NONE -S crash2.vim ==7359== ==7359== Invalid read of size 4 ==7359== at 0x5E3D53: bufIsChanged (undo.c:3525) ==7359== by 0x582ECD: draw_tabline (screen.c:10407) ==7359== by 0x56F8A0: update_screen (screen.c:638) ==7359== by 0x624247: main_loop (main.c:1211) ==7359== by 0x623C45: vim_main2 (main.c:877) ==7359== by 0x62338A: main (main.c:415) ==7359== Address 0xc8 is not stack'd, malloc'd or (recently) free'd ==7359== ==7359== ==7359== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==7359== at 0x7E27F07: kill (syscall-template.S:81) ==7359== by 0x5376C1: may_core_dump (os_unix.c:3346) ==7359== by 0x537660: mch_exit (os_unix.c:3312) ==7359== by 0x6247F8: getout (main.c:1495) ==7359== by 0x4EF04D: preserve_exit (misc1.c:9494) ==7359== by 0x535485: deathtrap (os_unix.c:1164) ==7359== by 0x7E27CAF: ??? (in /lib/x86_64-linux-gnu/libc-2.19.so) ==7359== by 0x5E3D52: bufIsChanged (undo.c:3525) ==7359== by 0x582ECD: draw_tabline (screen.c:10407) ==7359== by 0x56F8A0: update_screen (screen.c:638) ==7359== by 0x624247: main_loop (main.c:1211) ==7359== by 0x623C45: vim_main2 (main.c:877) Regards Dominique -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.