Hi list,
After some more digging I isolated the cause of the crash and it has
nothing to do with 2html.vim: Vim crashes while evaluating a corrupt
regular expression generated by a bug in my publish.vim plug-in.
I initially suspected this problem but thought I'd excluded it when Vim
still crashed after I disabled the pattern's evaluation. I now think Vim
still crashed because the 'hlsearch' option caused Vim to evaluate the
last used search pattern stored in my ~/.viminfo file.
The regex is a 77 KB monstrosity that's supposed to match a predefined
set of strings in 2html.vim output and is complicated by the fact that
it also matches strings with embedded HTML tags. The regex is corrupt
because of a bug in my plug-in; I forgot to escape special characters
like [.
Even though the regex is corrupt (garbage in, garbage out) the crash
might still point towards a real bug, which is why I'm attaching a
script that demonstrates the crash. When I execute the script with the
following command I first get an E339 prompt and then Vim crashes with a
segmentation fault:
$ vim -u NONE --noplugin -NS crash.vim
Error detected while processing function <SNR>1_VimCrashOnRegexEval:
line 14:
E339: Pattern too long
Vim: Caught deadly signal SEGV
Vim: Finished.
I'm also attaching a backtrace from GDB and the output of Valgrind,
which tell me that Vim crashes because of a NULL pointer dereference at
regexp.c:4730 in the latest Vim 7.3 source. I've tried reasoning about
this but regmatch() is far too complex for my comprehension at the
moment :-)
- Peter Odding
function! s:VimCrashOnRegexEval(tags)
let patterns = []
let short = s:IgnoreHTML('s') . s:IgnoreHTML(':')
let long = s:IgnoreHTML('<') . s:IgnoreHTML('[Ss][Ii][Dd]') .
s:IgnoreHTML('>')
let prefix = '\%(' . short . '\|' . long . '\)'
for name in a:tags
let tokens = [prefix]
for token in split(name, '\...@=\|\W\@<=')
" The bug in my original code was that I didn't escape special pattern
characters in
" {token} before adding it to {tokens}, but that doesn't mean Vim should
crash :-(
call add(tokens, s:IgnoreHTML(token))
endfor
call add(patterns, join(tokens, ''))
endfor
execute '/' . escape(join(patterns, '\|'), '~/')
endfunction
function! s:IgnoreHTML(s)
return printf('\%%(<[^/][^>]*>%s</[^>]\+>\|%s\)', a:s, a:s)
endfunction
call s:VimCrashOnRegexEval(['s:msg', 'g:loaded_publish', 'foreach_window',
's:ei_save',
\ 's:loaded_scripts', 'tex_fold_enabled', 'g:timer_verbosity', '<Tab>',
'reload_colors',
\ 'b:luainspect_syntax_error', 'g:easytags_resolve_links', 's:hif_save',
'unresolve_scriptname',
\ 'g:easytags_always_enabled', '<Home>', 'session#get_names', 's:directory',
'session#save_cmd',
\ 's:stal_save', 'session#auto_dirty_check', 'persist_special_windows',
'<C-Down>',
\ 'b:luainspect_input', 'ignore_html', 's:ctags_filetypes',
'session#close_cmd', 's:object_methods',
\ 'xolox#timer#stop', 'easytags#highlight', 'g:session_autoload',
'g:publish_omit_dothtml',
\ 'save_plugin_window', 'netrw_hide', 'prep_cmdline', 's:cached_contents',
'g:lua_inspect_internal',
\ 'java_allow_cpp_keywords', 'open_at_cursor', 'luainspect#make_request',
'library_call',
\ 'xolox#debug', 'publish#run_rsync', 'easytags#get_tagsfile', 's:script',
'session#auto_load',
\ 'g:reload_on_write', 'easytags#read_tagsfile', 'publish#html_encode',
'<Left>', 's:tagged_files',
\ 'easytags#update', 'xolox#path#absolute', 'easytags#map_filetypes',
'rename_variable',
\ 'publish#rsync_check', 'tex_flavor', '<Right>', 's:lock_files',
's:library_version', '<F11>',
\ 'g:html_ignore_folding', 's:has_reltime', 'g:html_number_lines',
'g:easytags_on_cursorhold',
\ 'save_qflist', 'g:easytags_autorecurse', 'find_tagged_files',
's:changed_path', 's:enoimpl',
\ 'escape_tags', 'g:loaded_session', 'xolox#timer#start', 'get_name',
'g:easytags_ignored_filetypes',
\ 'xolox#shell#open_cmd', 'xolox#quote_pattern', 'xolox#shell#execute',
'convert_value',
\ 'xolox#unique', 'session#path_to_name', '<Esc>[A', 'session#open_cmd',
'python_highlight_all',
\ '<A-Right>', 's:files_to_publish', 'define_default_styles',
's:supported_filetypes',
\ 'xolox#option#join', 's:loclist_to_window', 'session#delete_cmd',
'<Esc>[23~', 'session#save_state',
\ '<Del>', 'vimsyn_noerror', 'publish#find_tags', 'reload_indent',
'xolox#shell#open_with',
\ 's:cached_filenames', 'xolox#reload#script', 'g:easytags_ctags_version',
'g:html_use_css',
\ 'clear_previous_matches', 'is_windows', 'session#save_colors', 'select_name',
\ 's:reload_script_active', 'session_is_locked', 'session#auto_unlock',
'set_tagged_files',
\ 'publish#create_subst_cmd', 'jump_to_window', 's:smd_save',
'g:xolox_message_buffer',
\ 'xolox#option#split_tags', 'g:easytags_cmd', 'xolox#path#equals', '<C-Up>',
'xolox#path#join',
\ 'xolox#warning', 's:hnl_save', 's:mls_save', 's:reloading_buffers',
's:aliases',
\ 'xolox#shell#fullscreen', 's:vim_filetypes', 'b:luainspect_warnings',
'cache_tagged_files',
\ 'easytags#autoload', 's:fullscreen_enabled', 'session#save_session',
'<A-Left>', 'xolox#message',
\ 's:units', 'session#restart_cmd', 'g:timer_enabled', 's:contact',
'easytags#define_tagkind',
\ 'xolox#path#decode', '***', 'handle_error', 'reload_ftplugin',
'g:lua_inspect_warnings',
\ 's:session_is_dirty', 'xolox#shell#open_url', 'parse_scriptnames',
'session#save_features',
\ 'check_output', 'session#complete_names', '<C-S-PageUp>',
'xolox#path#relative', '<F3>',
\ 'b:easytags_last_highlighted', 'reload_message', 'update_warnings',
's:canonical_aliases',
\ 'reload_plugin', 's:go_toggled', 'publish#customize_html',
'g:shell_open_cmds', 'check_cfile',
\ 'run_ctags', '<C-S-PageDown>', 'g:loaded_luainspect',
'xolox#timer#format_timespan',
\ 'luainspect#highlight_cmd', 'xolox#reload#open_readonly',
'easytags#to_ctags_ft', 'pattern_to_lnum',
\ 'unlock_session', 'c_syntax_for_h', 'g:shell_fullscreen_items',
's:current_source_directory',
\ 'publish#create_dirs', 'reload_autoload', 'prepare_search_path',
's:viml_sl_prefix', 's:ruler_save',
\ 'is_bash', 'xolox#reload#windows', 'g:loaded_pyref', 's:cpo_save',
'has_dll', 'xolox#path#tempdir',
\ 'g:lua_inspect_events', 's:auto_reload_active', 'xolox#option#join_tags',
'highlight_variables',
\ 'xolox#escape#pattern', 'easytags#file_has_tags', 'check_filetype',
's:scripttypes',
\ 'script_sourced', 'b:luainspect_disabled', 'luainspect#auto_enable',
'<c-]>', '<F5>',
\ 'session#view_cmd', 'xolox#path#commonprefix', 'g:easytags_include_members',
'g:session_autosave',
\ 'lock_session', 's:more_save', 's:huc_save', 'easytags#alias_filetypes',
'g:pyref_browser',
\ 'g:publish_viml_sl_hack', 's:tempdir_counter',
'easytags#supported_filetypes',
\ 'easytags#add_tagged_file', 'unescape_tags', 'filter_merge_tags',
'b:luainspect_output',
\ 'g:xolox_messages', 'xolox#shell#highlight_urls', 'session#auto_save',
'find_dll_version',
\ 's:window_to_info', 'b:easytags_nohl', 'easytags#write_tagsfile',
'g:loaded_easytags',
\ 'reload_buffers', '<F6>', 'reload_syntax', 'xolox#shell#is_fullscreen',
'publish#prep_env',
\ 's:groups', '<BS>', 'highlight_position', 's:tagkinds', 's:cached_layouts',
's:saved_qflist',
\ 'session#name_to_path', 'balloon_syntax', 'parse_text', 'xolox#path#merge',
'g:pyref_mapping',
\ 'publish#resolve_files', 'session#save_fullscreen',
'g:shell_mappings_enabled', 'xolox#path#encode',
\ 'reload_window', 'clear_message', 'xolox#escape#substitute',
'easytags#to_vim_ft',
\ 'xolox#option#split', 's:tags_to_publish', '...', 's:windows_compatible',
'g:publish_plaintext',
\ 'foreach_tabpage', 'xolox#shell#build_cmd', 'session#save_qflist',
'xolox#path#split'])
pe...@laptop> gdb --args /usr/local/bin/gvim -fu NONE --noplugin -NS crash.vim
GNU gdb (GDB) 7.0-ubuntu
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/bin/gvim...done.
(gdb) r
Starting program: /usr/local/bin/gvim -fu NONE --noplugin -NS crash.vim
[Thread debugging using libthread_db enabled]
(gvim:4029): GLib-WARNING **: g_set_prgname() called multiple times
Program received signal SIGSEGV, Segmentation fault.
0x0000000000564107 in regmatch (scan=0x97743a "\003") at regexp.c:4730
4730 if (OP(next) != BRANCH) /* No choice. */
(gdb) where
#0 0x0000000000564107 in regmatch (scan=0x97743a "\003") at regexp.c:4730
#1 0x0000000000561c50 in regtry (prog=0x977420, col=0) at regexp.c:3711
#2 0x0000000000561a17 in vim_regexec_both (line=0xb93d50 "", col=0, tm=0x0) at
regexp.c:3600
#3 0x0000000000561342 in vim_regexec (rmp=0x7fffffffdf30, line=0xb93d50 "",
col=0) at regexp.c:3347
#4 0x00000000004c0d5d in match_file_pat (pattern=0x0, prog=0x977420,
fname=0xb93d50 "", sfname=0x0, tail=0xb93d50 "", allow_dirs=0) at fileio.c:10003
#5 0x00000000004c035e in auto_next_pat (apc=0x7fffffffe080, stop_at_last=0) at
fileio.c:9525
#6 0x00000000004bff4a in apply_autocmds_group (event=EVENT_VIMENTER,
fname=0xb93d50 "", fname_io=0x0, force=0, group=-3, buf=0x8a1990, eap=0x0) at
fileio.c:9358
#7 0x00000000004bf860 in apply_autocmds (event=EVENT_VIMENTER, fname=0x0,
fname_io=0x0, force=0, buf=0x8a1990) at fileio.c:8994
#8 0x00000000004dc1dc in main (argc=6, argv=0x7fffffffe438) at main.c:903
==4179== Memcheck, a memory error detector
==4179== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==4179== Using Valgrind-3.5.0-Debian and LibVEX; rerun with -h for copyright info
==4179== Command: /usr/local/bin/gvim -fu NONE --noplugin -NS crash.vim
==4179== Parent PID: 2796
==4179==
==4179== Syscall param write(buf) points to uninitialised byte(s)
==4179== at 0xA6BA020: __write_nocancel (in /lib/libc-2.10.1.so)
==4179== by 0xB0A3CFE: ??? (in /usr/lib/libICE.so.6.3.0)
==4179== by 0xB0A858F: _IceWrite (in /usr/lib/libICE.so.6.3.0)
==4179== by 0xB0A8673: IceFlush (in /usr/lib/libICE.so.6.3.0)
==4179== by 0x72BE9DD: ??? (in /usr/lib/libgnomeui-2.so.0.2400.2)
==4179== by 0x72BF839: ??? (in /usr/lib/libgnomeui-2.so.0.2400.2)
==4179== by 0x72C25F2: ??? (in /usr/lib/libgnomeui-2.so.0.2400.2)
==4179== by 0x6B8C5AD: g_closure_invoke (in /usr/lib/libgobject-2.0.so.0.2200.3)
==4179== by 0x6BA129B: ??? (in /usr/lib/libgobject-2.0.so.0.2200.3)
==4179== by 0x6BA2D38: g_signal_emit_valist (in /usr/lib/libgobject-2.0.so.0.2200.3)
==4179== by 0x6BA3282: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.2200.3)
==4179== by 0x72C108E: gnome_client_connect (in /usr/lib/libgnomeui-2.so.0.2400.2)
==4179== Address 0x12f5e29c is 12 bytes inside a block of size 1,024 alloc'd
==4179== at 0x4C24477: calloc (vg_replace_malloc.c:418)
==4179== by 0xB0A0A98: IceOpenConnection (in /usr/lib/libICE.so.6.3.0)
==4179== by 0xAE9492A: SmcOpenConnection (in /usr/lib/libSM.so.6.0.0)
==4179== by 0x72C100C: gnome_client_connect (in /usr/lib/libgnomeui-2.so.0.2400.2)
==4179== by 0x72C21CC: ??? (in /usr/lib/libgnomeui-2.so.0.2400.2)
==4179== by 0x7C46E0D: gnome_program_postinit (in /usr/lib/libgnome-2.so.0.2800.0)
==4179== by 0x7C4724B: ??? (in /usr/lib/libgnome-2.so.0.2800.0)
==4179== by 0x7C4750C: gnome_program_initv (in /usr/lib/libgnome-2.so.0.2800.0)
==4179== by 0x7C47609: gnome_program_init (in /usr/lib/libgnome-2.so.0.2800.0)
==4179== by 0x5EE18C: gui_mch_init (gui_gtk_x11.c:3113)
==4179== by 0x5DED82: gui_init (gui.c:459)
==4179== by 0x5C409B: set_termname (term.c:1845)
==4179==
--4179-- WARNING: unhandled syscall: 294
--4179-- You may be able to write your own handler.
--4179-- Read the file README_MISSING_SYSCALL_OR_IOCTL.
--4179-- Nevertheless we consider this a bug. Please report
--4179-- it at http://valgrind.org/support/bug_reports.html.
==4179== Invalid read of size 1
==4179== at 0x564107: regmatch (regexp.c:4730)
==4179== by 0x561C4F: regtry (regexp.c:3711)
==4179== by 0x561A16: vim_regexec_both (regexp.c:3600)
==4179== by 0x561341: vim_regexec (regexp.c:3347)
==4179== by 0x4C0D5C: match_file_pat (fileio.c:10003)
==4179== by 0x4C035D: auto_next_pat (fileio.c:9525)
==4179== by 0x4BFF49: apply_autocmds_group (fileio.c:9358)
==4179== by 0x4BF85F: apply_autocmds (fileio.c:8994)
==4179== by 0x4DC1DB: main (main.c:903)
==4179== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==4179==
==4179==
==4179== HEAP SUMMARY:
==4179== in use at exit: 2,764,181 bytes in 25,924 blocks
==4179== total heap usage: 187,385 allocs, 161,461 frees, 38,301,889 bytes allocated
==4179==
==4179== LEAK SUMMARY:
==4179== definitely lost: 14,194 bytes in 124 blocks
==4179== indirectly lost: 22,224 bytes in 697 blocks
==4179== possibly lost: 1,666,424 bytes in 15,810 blocks
==4179== still reachable: 1,061,339 bytes in 9,293 blocks
==4179== suppressed: 0 bytes in 0 blocks
==4179== Rerun with --leak-check=full to see details of leaked memory
==4179==
==4179== For counts of detected and suppressed errors, rerun with: -v
==4179== Use --track-origins=yes to see where uninitialised values come from
==4179== ERROR SUMMARY: 7 errors from 2 contexts (suppressed: 10 from 7)
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
