Dominique Pelle wrote:
> On Feb 5, 2008 8:40 AM, Tony Mechelynck <[EMAIL PROTECTED]> wrote:
> >
> > Kazuo Teramoto wrote:
> > >> Same (start at X, stop at Y) for
> > >> :call search("^", "e")
> > >> :call search("^", "ce")
> > >
> > > Ouch, for me this is a little more serious, if I try this calls my vim
> > > always segfault (I don't need a test file and using -u NONE -U none),
> > > I don't know what need to be posted but the :version is
> > >
> > > VIM - Vi IMproved 7.0 (2006 May 7, compiled Aug 29 2007 10:59:43)
> > > Included patches: 1-122, 234-235, 39
> > > Big version without GUI. Features included (+) or not (-):
> >
> > ??? with patch 39 applied twice ??? none of 123-233 (a hundred and eleven
> > missing patches) ??? and no "compiled-by" line ??? Oh, and it's a 7.0
> > anyway.
> > Maybe you ought to install a 7.1 version (of which the current patchlevel is
> > 7.1.242)? See my "HowTo" page,
> > http://users.skynet.be/antoine.mechelynck/vim/compunix.htm
>
>
> I have a normal installation of vim-7.1.242 (all patches) and it's
> crashing for me as well. I have the same version of vim on
> 2 machines (one linux x66 and one linux x86_64) and it's only
> crashing on the the x86_64 machine only.
>
> As soon as I type ":call search('\_s*a\_s*','e')" I get a core dump
> on the x86_64 machine:
>
> $ ./vim
> Vim: Caught deadly signal SEGV
> Vim: preserving files...
> Vim: Finished.
> Segmentation fault (core dumped)
>
> $ gdb ./vim core
> ...
> Core was generated by `./vim'.
> Program terminated with signal 11, Segmentation fault.
> #0 0x00002b71866ebe47 in kill () from /lib64/libc.so.6
> (gdb) bt
> #0 0x00002b71866ebe47 in kill () from /lib64/libc.so.6
> #1 0x000000000050e38d in may_core_dump () at os_unix.c:2950
> #2 0x000000000050e328 in mch_exit (r=1) at os_unix.c:2915
> #3 0x00000000004a5eb3 in getout (exitval=1) at main.c:1342
> #4 0x00000000004d2128 in preserve_exit () at misc1.c:8355
> #5 0x000000000050c73d in deathtrap (sigarg=11) at os_unix.c:1030
> #6 <signal handler called>
> #7 0x00000000004e0b33 in utf_head_off (base=0x9251c4 "c Y",
> p=0x1009251c3 <Address 0x1009251c3 out of bounds>) at mbyte.c:2480
> #8 0x0000000000539235 in searchit (win=0x831b90, buf=0x8333f0,
> pos=0x7fff2690fa00, dir=1, pat=0x947c80 "\\_s*a\\_s*", count=1,
> options=1088, pat_use=0, stop_lnum=0, tm=0x7fff2690f9e0) at search.c:848
> #9 0x00000000004420e7 in search_cmn (argvars=0x7fff2690fbc0, match_pos=0x0,
> flagsp=0x7fff2690fa8c) at eval.c:14077
> #10 0x00000000004421cc in f_search (argvars=0x7fff2690fbc0,
> rettv=0x7fff2690fd80) at eval.c:14120
> #11 0x0000000000439522 in call_func (name=0x986920 "search", len=6,
> rettv=0x7fff2690fd80, argcount=2, argvars=0x7fff2690fbc0, firstline=1,
> lastline=1, doesrange=0x7fff2690fd7c, evaluate=1, selfdict=0x0)
> at eval.c:7632
> #12 0x0000000000439043 in get_func_tv (name=0x986920 "search", len=6,
> rettv=0x7fff2690fd80, arg=0x7fff2690fda0, firstline=1, lastline=1,
> doesrange=0x7fff2690fd7c, evaluate=1, selfdict=0x0) at eval.c:7450
> #13 0x0000000000432c73 in ex_call (eap=0x7fff2690fe80) at eval.c:3215
> #14 0x0000000000463c6b in do_one_cmd (cmdlinep=0x7fff26910528, sourcing=0,
> cstack=0x7fff26910080, fgetline=0x47821a <getexline>, cookie=0x0)
> at ex_docmd.c:2623
> #15 0x000000000046146a in do_cmdline (cmdline=0x0,
> getline=0x47821a <getexline>, cookie=0x0, flags=0) at ex_docmd.c:1099
> #16 0x00000000004ebdd2 in nv_colon (cap=0x7fff26910670) at normal.c:5179
> #17 0x00000000004e4dd8 in normal_cmd (oap=0x7fff26910730, toplevel=1)
> at normal.c:1152
> #18 0x00000000004a5be2 in main_loop (cmdwin=0, noexmode=0) at main.c:1181
> #19 0x00000000004a572e in main (argc=1, argv=0x7fff26910a28) at main.c:940
>
> (gdb) up
> #1 0x000000000050e38d in may_core_dump () at os_unix.c:2950
> 2950 kill(getpid(), deadly_signal); /* Die using the
> signal we caught */
> (gdb)
> #2 0x000000000050e328 in mch_exit (r=1) at os_unix.c:2915
> 2915 may_core_dump();
> (gdb)
> #3 0x00000000004a5eb3 in getout (exitval=1) at main.c:1342
> 1342 mch_exit(exitval);
> (gdb)
> #4 0x00000000004d2128 in preserve_exit () at misc1.c:8355
> 8355 getout(1);
> (gdb)
> #5 0x000000000050c73d in deathtrap (sigarg=11) at os_unix.c:1030
> 1030 preserve_exit(); /* preserve files and exit */
> (gdb)
> #6 <signal handler called>
> (gdb)
> #7 0x00000000004e0b33 in utf_head_off (base=0x9251c4 "c Y",
> p=0x1009251c3 <Address 0x1009251c3 out of bounds>) at mbyte.c:2480
> 2480 if (*p < 0x80) /* be quick for ASCII */
> (gdb) p p
> $1 = (char_u *) 0x1009251c3 <Address 0x1009251c3 out of bounds>
>
> -> pointer 'p' is invalid
>
> Valgrind memory checker also detects a problem when
> doing ":call search('\_s*a\_s*','e')" at the same location
> on the x86_64 machine (no problem detected on the
> x86 machine):
>
> ==13671== Invalid read of size 1
> ==13671== at 0x4E0B33: utf_head_off (mbyte.c:2480)
> ==13671== by 0x539234: searchit (search.c:848)
> ==13671== by 0x4420E6: search_cmn (eval.c:14077)
> ==13671== by 0x4421CB: f_search (eval.c:14120)
> ==13671== by 0x439521: call_func (eval.c:7632)
> ==13671== by 0x439042: get_func_tv (eval.c:7450)
> ==13671== by 0x432C72: ex_call (eval.c:3215)
> ==13671== by 0x463C6A: do_one_cmd (ex_docmd.c:2623)
> ==13671== by 0x461469: do_cmdline (ex_docmd.c:1099)
> ==13671== by 0x4EBDD1: nv_colon (normal.c:5179)
> ==13671== by 0x4E4DD7: normal_cmd (normal.c:1152)
> ==13671== by 0x4A5BE1: main_loop (main.c:1181)
> ==13671== by 0x4A572D: main (main.c:940)
> ==13671== Address 0x10b5e697f is not stack'd, malloc'd or (recently) free'd
>
> I can reproduce it 100% of the time.
What is the text you are searching in? I assume your 'encoding' is set
to "utf-8"?
If you want to do a little digging, check out the code before calling
mb_head_off(), line 848 in search.c. Especially the value of "endpos"
compared to what's in the text.
--
hundred-and-one symptoms of being an internet addict:
18. Your wife drapes a blond wig over your monitor to remind you of what she
looks like.
/// Bram Moolenaar -- [EMAIL PROTECTED] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ download, build and distribute -- http://www.A-A-P.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---
