Hello, with this minimal vimrc
set nocompatible syntax enable " adjust redrawtime to match machine speed "set redrawtime=100 " mapping to repeat command quickly nmap <silent> <F12> :syntax sync fromstart<CR>:syntax sync fromstart<CR> I get a segfault by opening the reproducer file https://www.phi-gamma.net/misc/reproducer.rst and then typing <S-g><F12>. The cause appears to be a use-after-free that occurs when redrawtime elapses before the syntax highlighting is done. On my box (“Intel(R) Core(TM) i7-4771 CPU @ 3.50GHz”) it is reproducible up to a limit of ~4250 ms; with larger values there is no crash. Bisection shows that this is the problematic commit: commit 06f1ed2f78c5c03af95054fc3a8665df39dec362 Author: Bram Moolenaar <[email protected]> Date: Sun Jun 18 22:41:03 2017 +0200 patch 8.0.0647: syntax highlighting can make cause a freeze Problem: Syntax highlighting can make cause a freeze. Solution: Apply 'redrawtime' to syntax highlighting, per window. and indeed, reverting the changes on top of 8.1.436 gets rid of the crash. Backtrace: Program received signal SIGSEGV, Segmentation fault. syn_stack_find_entry (lnum=9082, lnum@entry=1) at syntax.c:1457 1457 if (p->sst_lnum == lnum) (gdb) bt #0 syn_stack_find_entry (lnum=9082, lnum@entry=1) at syntax.c:1457 #1 syntax_end_parsing (lnum=lnum@entry=9082) at syntax.c:1716 #2 0x00000000005451ae in win_update (wp=wp@entry=0x879ee0) at screen.c:2241 #3 0x0000000000546cd3 in update_screen (type_arg=type_arg@entry=0) at screen.c:783 #4 0x00000000005c9d57 in main_loop (cmdwin=cmdwin@entry=0, noexmode=noexmode@entry=0) at main.c:1251 #5 0x00000000005cac9b in vim_main2 () at main.c:919 #6 0x000000000040724b in main (argc=<optimized out>, argv=<optimized out>) at main.c:443 Valgrind reports it as a use-after-free, see attached log. Best, Philipp -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
==17472== Memcheck, a memory error detector ==17472== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==17472== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==17472== Command: vim -u /home/philipp/src/vim/bug/test-vimrc reproducer.rst ==17472== Parent PID: 5664 ==17472== ==17472== Invalid read of size 8 ==17472== at 0x570943: syn_stack_find_entry (syntax.c:1457) ==17472== by 0x570943: syntax_end_parsing (syntax.c:1716) ==17472== by 0x5451AD: win_update (screen.c:2241) ==17472== by 0x546CD2: update_screen (screen.c:783) ==17472== by 0x5C9D56: main_loop (main.c:1251) ==17472== by 0x5CAC9A: vim_main2 (main.c:919) ==17472== by 0x40724A: main (main.c:443) ==17472== Address 0x1701fbf8 is 8 bytes inside a block of size 211,032 free'd ==17472== at 0x4C2FDAC: free (vg_replace_malloc.c:530) ==17472== by 0x5708BC: syn_stack_free_block (syntax.c:1194) ==17472== by 0x5708BC: syn_stack_free_all (syntax.c:1209) ==17472== by 0x578685: syn_cmd_sync (syntax.c:5997) ==17472== by 0x570C49: ex_syntax (syntax.c:6397) ==17472== by 0x46CA55: do_one_cmd (ex_docmd.c:2533) ==17472== by 0x46E8B9: do_cmdline (ex_docmd.c:1041) ==17472== by 0x4DBAC4: nv_colon (normal.c:5401) ==17472== by 0x4E548A: normal_cmd (normal.c:1134) ==17472== by 0x5C9B99: main_loop (main.c:1372) ==17472== by 0x5CAC9A: vim_main2 (main.c:919) ==17472== by 0x40724A: main (main.c:443) ==17472== Block was alloc'd at ==17472== at 0x4C2EBAB: malloc (vg_replace_malloc.c:299) ==17472== by 0x4C9C90: lalloc (misc2.c:976) ==17472== by 0x4CA58F: alloc_clear (misc2.c:898) ==17472== by 0x57669E: syn_stack_alloc (syntax.c:1260) ==17472== by 0x57669E: syntax_start (syntax.c:548) ==17472== by 0x54354F: win_line (screen.c:3286) ==17472== by 0x54437B: win_update (screen.c:2144) ==17472== by 0x546CD2: update_screen (screen.c:783) ==17472== by 0x5C9D56: main_loop (main.c:1251) ==17472== by 0x5CAC9A: vim_main2 (main.c:919) ==17472== by 0x40724A: main (main.c:443) ==17472== ==17472== Invalid read of size 8 ==17472== at 0x57095B: syn_stack_find_entry (syntax.c:1455) ==17472== by 0x57095B: syntax_end_parsing (syntax.c:1716) ==17472== by 0x5451AD: win_update (screen.c:2241) ==17472== by 0x546CD2: update_screen (screen.c:783) ==17472== by 0x5C9D56: main_loop (main.c:1251) ==17472== by 0x5CAC9A: vim_main2 (main.c:919) ==17472== by 0x40724A: main (main.c:443) ==17472== Address 0x1701fbf0 is 0 bytes inside a block of size 211,032 free'd ==17472== at 0x4C2FDAC: free (vg_replace_malloc.c:530) ==17472== by 0x5708BC: syn_stack_free_block (syntax.c:1194) ==17472== by 0x5708BC: syn_stack_free_all (syntax.c:1209) ==17472== by 0x578685: syn_cmd_sync (syntax.c:5997) ==17472== by 0x570C49: ex_syntax (syntax.c:6397) ==17472== by 0x46CA55: do_one_cmd (ex_docmd.c:2533) ==17472== by 0x46E8B9: do_cmdline (ex_docmd.c:1041) ==17472== by 0x4DBAC4: nv_colon (normal.c:5401) ==17472== by 0x4E548A: normal_cmd (normal.c:1134) ==17472== by 0x5C9B99: main_loop (main.c:1372) ==17472== by 0x5CAC9A: vim_main2 (main.c:919) ==17472== by 0x40724A: main (main.c:443) ==17472== Block was alloc'd at ==17472== at 0x4C2EBAB: malloc (vg_replace_malloc.c:299) ==17472== by 0x4C9C90: lalloc (misc2.c:976) ==17472== by 0x4CA58F: alloc_clear (misc2.c:898) ==17472== by 0x57669E: syn_stack_alloc (syntax.c:1260) ==17472== by 0x57669E: syntax_start (syntax.c:548) ==17472== by 0x54354F: win_line (screen.c:3286) ==17472== by 0x54437B: win_update (screen.c:2144) ==17472== by 0x546CD2: update_screen (screen.c:783) ==17472== by 0x5C9D56: main_loop (main.c:1251) ==17472== by 0x5CAC9A: vim_main2 (main.c:919) ==17472== by 0x40724A: main (main.c:443) ==17472== ==17472== Invalid read of size 8 ==17472== at 0x570950: syn_stack_find_entry (syntax.c:1457) ==17472== by 0x570950: syntax_end_parsing (syntax.c:1716) ==17472== by 0x5451AD: win_update (screen.c:2241) ==17472== by 0x546CD2: update_screen (screen.c:783) ==17472== by 0x5C9D56: main_loop (main.c:1251) ==17472== by 0x5CAC9A: vim_main2 (main.c:919) ==17472== by 0x40724A: main (main.c:443) ==17472== Address 0x1701fcd0 is 224 bytes inside a block of size 211,032 free'd ==17472== at 0x4C2FDAC: free (vg_replace_malloc.c:530) ==17472== by 0x5708BC: syn_stack_free_block (syntax.c:1194) ==17472== by 0x5708BC: syn_stack_free_all (syntax.c:1209) ==17472== by 0x578685: syn_cmd_sync (syntax.c:5997) ==17472== by 0x570C49: ex_syntax (syntax.c:6397) ==17472== by 0x46CA55: do_one_cmd (ex_docmd.c:2533) ==17472== by 0x46E8B9: do_cmdline (ex_docmd.c:1041) ==17472== by 0x4DBAC4: nv_colon (normal.c:5401) ==17472== by 0x4E548A: normal_cmd (normal.c:1134) ==17472== by 0x5C9B99: main_loop (main.c:1372) ==17472== by 0x5CAC9A: vim_main2 (main.c:919) ==17472== by 0x40724A: main (main.c:443) ==17472== Block was alloc'd at ==17472== at 0x4C2EBAB: malloc (vg_replace_malloc.c:299) ==17472== by 0x4C9C90: lalloc (misc2.c:976) ==17472== by 0x4CA58F: alloc_clear (misc2.c:898) ==17472== by 0x57669E: syn_stack_alloc (syntax.c:1260) ==17472== by 0x57669E: syntax_start (syntax.c:548) ==17472== by 0x54354F: win_line (screen.c:3286) ==17472== by 0x54437B: win_update (screen.c:2144) ==17472== by 0x546CD2: update_screen (screen.c:783) ==17472== by 0x5C9D56: main_loop (main.c:1251) ==17472== by 0x5CAC9A: vim_main2 (main.c:919) ==17472== by 0x40724A: main (main.c:443) ==17472== ==17472== Invalid read of size 8 ==17472== at 0x570963: syntax_end_parsing (syntax.c:1717) ==17472== by 0x5451AD: win_update (screen.c:2241) ==17472== by 0x546CD2: update_screen (screen.c:783) ==17472== by 0x5C9D56: main_loop (main.c:1251) ==17472== by 0x5CAC9A: vim_main2 (main.c:919) ==17472== by 0x40724A: main (main.c:443) ==17472== Address 0x1704f5e0 is 195,056 bytes inside a block of size 211,032 free'd ==17472== at 0x4C2FDAC: free (vg_replace_malloc.c:530) ==17472== by 0x5708BC: syn_stack_free_block (syntax.c:1194) ==17472== by 0x5708BC: syn_stack_free_all (syntax.c:1209) ==17472== by 0x578685: syn_cmd_sync (syntax.c:5997) ==17472== by 0x570C49: ex_syntax (syntax.c:6397) ==17472== by 0x46CA55: do_one_cmd (ex_docmd.c:2533) ==17472== by 0x46E8B9: do_cmdline (ex_docmd.c:1041) ==17472== by 0x4DBAC4: nv_colon (normal.c:5401) ==17472== by 0x4E548A: normal_cmd (normal.c:1134) ==17472== by 0x5C9B99: main_loop (main.c:1372) ==17472== by 0x5CAC9A: vim_main2 (main.c:919) ==17472== by 0x40724A: main (main.c:443) ==17472== Block was alloc'd at ==17472== at 0x4C2EBAB: malloc (vg_replace_malloc.c:299) ==17472== by 0x4C9C90: lalloc (misc2.c:976) ==17472== by 0x4CA58F: alloc_clear (misc2.c:898) ==17472== by 0x57669E: syn_stack_alloc (syntax.c:1260) ==17472== by 0x57669E: syntax_start (syntax.c:548) ==17472== by 0x54354F: win_line (screen.c:3286) ==17472== by 0x54437B: win_update (screen.c:2144) ==17472== by 0x546CD2: update_screen (screen.c:783) ==17472== by 0x5C9D56: main_loop (main.c:1251) ==17472== by 0x5CAC9A: vim_main2 (main.c:919) ==17472== by 0x40724A: main (main.c:443) ==17472== ==17472== ==17472== HEAP SUMMARY: ==17472== in use at exit: 5,447,964 bytes in 42,546 blocks ==17472== total heap usage: 178,596 allocs, 136,050 frees, 2,262,058,678 bytes allocated ==17472== ==17472== LEAK SUMMARY: ==17472== definitely lost: 0 bytes in 0 blocks ==17472== indirectly lost: 0 bytes in 0 blocks ==17472== possibly lost: 779,697 bytes in 14,231 blocks ==17472== still reachable: 4,668,267 bytes in 28,315 blocks ==17472== suppressed: 0 bytes in 0 blocks ==17472== Rerun with --leak-check=full to see details of leaked memory ==17472== ==17472== For counts of detected and suppressed errors, rerun with: -v ==17472== ERROR SUMMARY: 1809 errors from 4 contexts (suppressed: 0 from 0)
signature.asc
Description: PGP signature
