Bram Moolenaar wrote:
> Dominique Pellé wrote:
>
>> The attached script causes vim-7.4.2305 to crash:
>>
>> $ cat crash.vim
>> new
>> tabedit
>> tabfirst
>> au BufUnload <buffer> tabnext
>> q
>>
>> $ vim -u NONE -S crash.vim
>> Vim: Caught deadly signal SEGV
>> Vim: Finished.
>> Segmentation fault (core dumped)
>>
>> 3518│ int
>> 3519│ bufIsChanged(buf_T *buf)
>> 3520│ {
>> 3521│ return
>> 3522│ #ifdef FEAT_QUICKFIX
>> 3523│ !bt_dontwrite(buf) &&
>> 3524│ #endif
>> 3525├> (buf->b_changed || file_ff_differs(buf, TRUE));
>> 3526│ }
>>
>> Program received signal SIGSEGV, Segmentation fault.
>> 0x00000000005eee37 in bufIsChanged (buf=0x0) at undo.c:3525
>> (gdb) bt
>> #0 0x00000000005eee37 in bufIsChanged (buf=0x0) at undo.c:3525
>> #1 0x000000000058cd9b in draw_tabline () at screen.c:10407
>> #2 0x0000000000579548 in update_screen (type=40) at screen.c:638
>> #3 0x00000000006416dd in main_loop (cmdwin=0, noexmode=0) at main.c:1211
>> #4 0x00000000006410b7 in vim_main2 () at main.c:877
>> #5 0x00000000006407ed in main (argc=5, argv=0x7fffffffd7d8) at main.c:415
>>
>> (gdb) p buf
>> $1 = (buf_T *) 0x0
>>
>> It's a regression since vim-7.4.712 that comes with Ubuntu-15.10
>> does not crash. git bisect found that the bug was introduced in:
>>
>> ==
>> e59215c7dcae17b03daf39517560cfaa03314f5a is the first bad commit
>> commit e59215c7dcae17b03daf39517560cfaa03314f5a
>> Author: Bram Moolenaar <b...@vim.org>
>> Date: Sun Aug 14 19:08:45 2016 +0200
>>
>> patch 7.4.2212
>> Problem: Mark " is not set when closing a window in another tab.
>> (Guraga)
>> Solution: Check all tabs for the window to be valid. (based on patch by
>> Hirohito Higashi, closes #974)
>> ==
>>
>> Crash was found by fuzzing with American fuzzy lop.
>
> Easy to reproduce, thanks.
I see that patch 7.4.2309 fixed it. Thanks.
However, I see another case found by afl-fuzz
that still crashes in Vim-7.4.2311 with a
similar stack:
$ cat crash2.vim
tabedit
autocmd BufUnload <buffer> tabnext
f x
e y
$ valgrind vim -u NONE -S crash2.vim
valgrind ./vim -u NONE -S crash2.vim 2> log
==7359== Memcheck, a memory error detector
==7359== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==7359== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
==7359== Command: vim -u NONE -S crash2.vim
==7359==
==7359== Invalid read of size 4
==7359== at 0x5E3D53: bufIsChanged (undo.c:3525)
==7359== by 0x582ECD: draw_tabline (screen.c:10407)
==7359== by 0x56F8A0: update_screen (screen.c:638)
==7359== by 0x624247: main_loop (main.c:1211)
==7359== by 0x623C45: vim_main2 (main.c:877)
==7359== by 0x62338A: main (main.c:415)
==7359== Address 0xc8 is not stack'd, malloc'd or (recently) free'd
==7359==
==7359==
==7359== Process terminating with default action of signal 11
(SIGSEGV): dumping core
==7359== at 0x7E27F07: kill (syscall-template.S:81)
==7359== by 0x5376C1: may_core_dump (os_unix.c:3346)
==7359== by 0x537660: mch_exit (os_unix.c:3312)
==7359== by 0x6247F8: getout (main.c:1495)
==7359== by 0x4EF04D: preserve_exit (misc1.c:9494)
==7359== by 0x535485: deathtrap (os_unix.c:1164)
==7359== by 0x7E27CAF: ??? (in /lib/x86_64-linux-gnu/libc-2.19.so)
==7359== by 0x5E3D52: bufIsChanged (undo.c:3525)
==7359== by 0x582ECD: draw_tabline (screen.c:10407)
==7359== by 0x56F8A0: update_screen (screen.c:638)
==7359== by 0x624247: main_loop (main.c:1211)
==7359== by 0x623C45: vim_main2 (main.c:877)
Regards
Dominique
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
