vi segfault on set w=0

Paul de Weerd Mon, 21 Sep 2020 12:47:46 -0700

Hi all,

Due to a typo, I got vi to segfault.  Where I wanted to type ":set
wl=0", I missed the L and went ":set w=0".  This resulted in a
segfault and a core dump on one machine.  gdb on the core helpfully
gave me:


#0  0x00000e9cb1e3a81e in ?? () from /usr/bin/vi
#1  0x00000e9cb1e3774f in ?? () from /usr/bin/vi
#2  0x00000e9cb1e3850b in ?? () from /usr/bin/vi
#3  0x00000e9cb1e375c1 in ?? () from /usr/bin/vi
#4  0x00000e9cb1e32f3c in ?? () from /usr/bin/vi
#5  0x00000e9cb1e1c185 in ?? () from /usr/bin/vi
#6  0x00000e9cb1dfd862 in ?? () from /usr/bin/vi
#7  0x00000e9cb1dfc351 in ?? () from /usr/bin/vi
#8  0x0000000000000000 in ?? ()

So I built from source and didn't strip.  Now I don't get a core dump,
but the segfault is still there.  I reproduced that with the regular
vi (no core, still SIGSEGVs).  Maybe it was the file I was editing?

Anyway .. I ran /usr/obj/usr.bin/vi/build/vi under gdb and got this
trace:

Program received signal SIGSEGV, Segmentation fault.
0x000004e28a41381e in vs_sm_fill () from /usr/obj/usr.bin/vi/build/vi
(gdb) bt
#0  0x000004e28a41381e in vs_sm_fill () from /usr/obj/usr.bin/vi/build/vi
#1  0x000004e28a41074f in vs_paint () from /usr/obj/usr.bin/vi/build/vi
#2  0x000004e28a41150b in vs_paint () from /usr/obj/usr.bin/vi/build/vi
#3  0x000004e28a4105c1 in vs_refresh () from /usr/obj/usr.bin/vi/build/vi
#4  0x000004e28a40bf3c in vi () from /usr/obj/usr.bin/vi/build/vi
#5  0x000004e28a3f5185 in editor () from /usr/obj/usr.bin/vi/build/vi
#6  0x000004e28a3d6862 in main () from /usr/obj/usr.bin/vi/build/vi

You'll notice the trace is only 7 functions long, where the previous
one was 9.  It looks to be related to the contents of the buffer.
Just running vi (with no arguments) and doing the ":set w=0" dance
right at the start gives:

:set w=0
Program received signal SIGSEGV, Segmentation fault.
0x00000576ed67f9b6 in vs_paint () from /usr/obj/usr.bin/vi/build/vi
(gdb) bt
#0  0x00000576ed67f9b6 in vs_paint () from /usr/obj/usr.bin/vi/build/vi
#1  0x00000576ed67f5c1 in vs_refresh () from /usr/obj/usr.bin/vi/build/vi
#2  0x00000576ed67af3c in vi () from /usr/obj/usr.bin/vi/build/vi
#3  0x00000576ed664185 in editor () from /usr/obj/usr.bin/vi/build/vi
#4  0x00000576ed645862 in main () from /usr/obj/usr.bin/vi/build/vi

Of course, `:set w` is `:set window`, and setting a window with 0
lines is nonsensical.  But segfaulting doesn't make a lot of sense.  I
looked at the source, but was scared away by the "If you change this
code, you'd better know what you're doing.  It's subtle and quick to
anger." comment above vs_paint() (i.e. I was totally out of my
league).

Hope someone else can make sense of this.  At least it's easy to
reproduce (confirmed on amd64 and armv7).

Thanks,

Paul

-- 
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
                 http://www.weirdnet.nl/

vi segfault on set w=0

Reply via email to