On Sep 5, 3:33 am, Peter Odding <[email protected]> wrote:
> The regex is a 77 KB monstrosity that's supposed to match a predefined
> set of strings in 2html.vim output and is complicated by the fact that
> it also matches strings with embedded HTML tags. The regex is corrupt
> because of a bug in my plug-in; I forgot to escape special characters
> like [.
I can reproduce this crash with a much simpler, valid, regex:
$ vim -Ngfu NONE --noplugin -c "execute '/' . repeat('a\|', 9000) .
'a'"
Vim: Caught deadly signal SEGV
On my machine, it crashes with 9000 but not with 8000 repetitions.
> I'm also attaching a backtrace from GDB and the output of Valgrind,
> which tell me that Vim crashes because of a NULL pointer dereference at
> regexp.c:4730 in the latest Vim 7.3 source. I've tried reasoning about
> this but regmatch() is far too complex for my comprehension at the
> moment :-)
My backtrace is exactly the same:
(gdb) bt
#0 0x000000000055a545 in regmatch (scan=0x953cba "\003") at regexp.c:
4730
#1 0x0000000000557dd5 in regtry (prog=0x953ca0, col=0) at regexp.c:
3711
#2 0x0000000000557b9c in vim_regexec_both (line=0xabe7c0 "", col=0,
tm=0x0) at regexp.c:3600
#3 0x00000000005574c7 in vim_regexec (rmp=0x7fffffffdd00,
line=0xabe7c0 "", col=0) at regexp.c:3347
#4 0x00000000004b85cd in match_file_pat (pattern=0x0, prog=0x953ca0,
fname=0xabe7c0 "", sfname=0x0, tail=
0xabe7c0 "", allow_dirs=0) at fileio.c:10003
#5 0x00000000004b7bd2 in auto_next_pat (apc=0x7fffffffde50,
stop_at_last=0) at fileio.c:9525
#6 0x00000000004b77d8 in apply_autocmds_group (event=EVENT_VIMENTER,
fname=0xabe7c0 "", fname_io=0x0, force=0,
group=-3, buf=0x88c150, eap=0x0) at fileio.c:9358
#7 0x00000000004b7108 in apply_autocmds (event=EVENT_VIMENTER,
fname=0x0, fname_io=0x0, force=0, buf=0x88c150)
at fileio.c:8994
#8 0x00000000004d3973 in main (argc=6, argv=0x7fffffffe1e8) at main.c:
903
Carlo
(I attempted to post this message earlier but it somehow didn't make
it through)
>
> - Peter Odding
>
> [crash.vim5K ]function! s:VimCrashOnRegexEval(tags)
> let patterns = []
> let short = s:IgnoreHTML('s') . s:IgnoreHTML(':')
> let long = s:IgnoreHTML('<') . s:IgnoreHTML('[Ss][Ii][Dd]') .
> s:IgnoreHTML('>')
> let prefix = '\%(' . short . '\|' . long . '\)'
> for name in a:tags
> let tokens = [prefix]
> for token in split(name, '\...@=\|\W\@<=')
> " The bug in my original code was that I didn't escape special pattern
> characters in
> " {token} before adding it to {tokens}, but that doesn't mean Vim
> should crash :-(
> call add(tokens, s:IgnoreHTML(token))
> endfor
> call add(patterns, join(tokens, ''))
> endfor
> execute '/' . escape(join(patterns, '\|'), '~/')
> endfunction
>
> function! s:IgnoreHTML(s)
> return printf('\%%(<[^/][^>]*>%s</[^>]\+>\|%s\)', a:s, a:s)
> endfunction
>
> call s:VimCrashOnRegexEval(['s:msg', 'g:loaded_publish', 'foreach_window',
> 's:ei_save',
> \ 's:loaded_scripts', 'tex_fold_enabled', 'g:timer_verbosity', '<Tab>',
> 'reload_colors',
> \ 'b:luainspect_syntax_error', 'g:easytags_resolve_links', 's:hif_save',
> 'unresolve_scriptname',
> \ 'g:easytags_always_enabled', '<Home>', 'session#get_names', 's:directory',
> 'session#save_cmd',
> \ 's:stal_save', 'session#auto_dirty_check', 'persist_special_windows',
> '<C-Down>',
> \ 'b:luainspect_input', 'ignore_html', 's:ctags_filetypes',
> 'session#close_cmd', 's:object_methods',
> \ 'xolox#timer#stop', 'easytags#highlight', 'g:session_autoload',
> 'g:publish_omit_dothtml',
> \ 'save_plugin_window', 'netrw_hide', 'prep_cmdline', 's:cached_contents',
> 'g:lua_inspect_internal',
> \ 'java_allow_cpp_keywords', 'open_at_cursor', 'luainspect#make_request',
> 'library_call',
> \ 'xolox#debug', 'publish#run_rsync', 'easytags#get_tagsfile', 's:script',
> 'session#auto_load',
> \ 'g:reload_on_write', 'easytags#read_tagsfile', 'publish#html_encode',
> '<Left>', 's:tagged_files',
> \ 'easytags#update', 'xolox#path#absolute', 'easytags#map_filetypes',
> 'rename_variable',
> \ 'publish#rsync_check', 'tex_flavor', '<Right>', 's:lock_files',
> 's:library_version', '<F11>',
> \ 'g:html_ignore_folding', 's:has_reltime', 'g:html_number_lines',
> 'g:easytags_on_cursorhold',
> \ 'save_qflist', 'g:easytags_autorecurse', 'find_tagged_files',
> 's:changed_path', 's:enoimpl',
> \ 'escape_tags', 'g:loaded_session', 'xolox#timer#start', 'get_name',
> 'g:easytags_ignored_filetypes',
> \ 'xolox#shell#open_cmd', 'xolox#quote_pattern', 'xolox#shell#execute',
> 'convert_value',
> \ 'xolox#unique', 'session#path_to_name', '<Esc>[A', 'session#open_cmd',
> 'python_highlight_all',
> \ '<A-Right>', 's:files_to_publish', 'define_default_styles',
> 's:supported_filetypes',
> \ 'xolox#option#join', 's:loclist_to_window', 'session#delete_cmd',
> '<Esc>[23~', 'session#save_state',
> \ '<Del>', 'vimsyn_noerror', 'publish#find_tags', 'reload_indent',
> 'xolox#shell#open_with',
> \ 's:cached_filenames', 'xolox#reload#script', 'g:easytags_ctags_version',
> 'g:html_use_css',
> \ 'clear_previous_matches', 'is_windows', 'session#save_colors',
> 'select_name',
> \ 's:reload_script_active', 'session_is_locked', 'session#auto_unlock',
> 'set_tagged_files',
> \ 'publish#create_subst_cmd', 'jump_to_window', 's:smd_save',
> 'g:xolox_message_buffer',
> \ 'xolox#option#split_tags', 'g:easytags_cmd', 'xolox#path#equals',
> '<C-Up>', 'xolox#path#join',
> \ 'xolox#warning', 's:hnl_save', 's:mls_save', 's:reloading_buffers',
> 's:aliases',
> \ 'xolox#shell#fullscreen', 's:vim_filetypes', 'b:luainspect_warnings',
> 'cache_tagged_files',
> \ 'easytags#autoload', 's:fullscreen_enabled', 'session#save_session',
> '<A-Left>', 'xolox#message',
> \ 's:units', 'session#restart_cmd', 'g:timer_enabled', 's:contact',
> 'easytags#define_tagkind',
> \ 'xolox#path#decode', '***', 'handle_error', 'reload_ftplugin',
> 'g:lua_inspect_warnings',
> \ 's:session_is_dirty', 'xolox#shell#open_url', 'parse_scriptnames',
> 'session#save_features',
> \ 'check_output', 'session#complete_names', '<C-S-PageUp>',
> 'xolox#path#relative', '<F3>',
> \ 'b:easytags_last_highlighted', 'reload_message', 'update_warnings',
> 's:canonical_aliases',
> \ 'reload_plugin', 's:go_toggled', 'publish#customize_html',
> 'g:shell_open_cmds', 'check_cfile',
> \ 'run_ctags', '<C-S-PageDown>', 'g:loaded_luainspect',
> 'xolox#timer#format_timespan',
> \ 'luainspect#highlight_cmd', 'xolox#reload#open_readonly',
> 'easytags#to_ctags_ft', 'pattern_to_lnum',
> \ 'unlock_session', 'c_syntax_for_h', 'g:shell_fullscreen_items',
> 's:current_source_directory',
> \ 'publish#create_dirs', 'reload_autoload', 'prepare_search_path',
> 's:viml_sl_prefix', 's:ruler_save',
> \ 'is_bash', 'xolox#reload#windows', 'g:loaded_pyref', 's:cpo_save',
> 'has_dll', 'xolox#path#tempdir',
> \ 'g:lua_inspect_events', 's:auto_reload_active', 'xolox#option#join_tags',
> 'highlight_variables',
> \ 'xolox#escape#pattern', 'easytags#file_has_tags', 'check_filetype',
> 's:scripttypes',
> \ 'script_sourced', 'b:luainspect_disabled', 'luainspect#auto_enable',
> '<c-]>', '<F5>',
> \ 'session#view_cmd', 'xolox#path#commonprefix',
> 'g:easytags_include_members', 'g:session_autosave',
> \ 'lock_session', 's:more_save', 's:huc_save', 'easytags#alias_filetypes',
> 'g:pyref_browser',
> \ 'g:publish_viml_sl_hack', 's:tempdir_counter',
> 'easytags#supported_filetypes',
> \ 'easytags#add_tagged_file', 'unescape_tags', 'filter_merge_tags',
> 'b:luainspect_output',
> \ 'g:xolox_messages', 'xolox#shell#highlight_urls', 'session#auto_save',
> 'find_dll_version',
> \ 's:window_to_info', 'b:easytags_nohl', 'easytags#write_tagsfile',
> 'g:loaded_easytags',
> \ 'reload_buffers', '<F6>', 'reload_syntax', 'xolox#shell#is_fullscreen',
> 'publish#prep_env',
> \ 's:groups', '<BS>', 'highlight_position', 's:tagkinds',
> 's:cached_layouts', 's:saved_qflist',
> \ 'session#name_to_path', 'balloon_syntax', 'parse_text',
> 'xolox#path#merge', 'g:pyref_mapping',
> \ 'publish#resolve_files', 'session#save_fullscreen',
> 'g:shell_mappings_enabled', 'xolox#path#encode',
> \ 'reload_window', 'clear_message', 'xolox#escape#substitute',
> 'easytags#to_vim_ft',
> \ 'xolox#option#split', 's:tags_to_publish', '...', 's:windows_compatible',
> 'g:publish_plaintext',
> \ 'foreach_tabpage', 'xolox#shell#build_cmd', 'session#save_qflist',
> 'xolox#path#split'])
>
> [gdb.txt1K ]pe...@laptop> gdb --args /usr/local/bin/gvim -fu NONE --noplugin
> -NS crash.vim
> GNU gdb (GDB) 7.0-ubuntu
> Copyright (C) 2009 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law. Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-linux-gnu".
> For bug reporting instructions, please see:
> <http://www.gnu.org/software/gdb/bugs/>...
> Reading symbols from /usr/local/bin/gvim...done.
> (gdb) r
> Starting program: /usr/local/bin/gvim -fu NONE --noplugin -NS crash.vim
> [Thread debugging using libthread_db enabled]
>
> (gvim:4029): GLib-WARNING **: g_set_prgname() called multiple times
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x0000000000564107 in regmatch (scan=0x97743a "\003") at regexp.c:4730
> 4730 if (OP(next) != BRANCH) /* No choice. */
> (gdb) where
> #0 0x0000000000564107 in regmatch (scan=0x97743a "\003") at regexp.c:4730
> #1 0x0000000000561c50 in regtry (prog=0x977420, col=0) at regexp.c:3711
> #2 0x0000000000561a17 in vim_regexec_both (line=0xb93d50 "", col=0, tm=0x0)
> at regexp.c:3600
> #3 0x0000000000561342 in vim_regexec (rmp=0x7fffffffdf30, line=0xb93d50 "",
> col=0) at regexp.c:3347
> #4 0x00000000004c0d5d in match_file_pat (pattern=0x0, prog=0x977420,
> fname=0xb93d50 "", sfname=0x0, tail=0xb93d50 "", allow_dirs=0) at
> fileio.c:10003
> #5 0x00000000004c035e in auto_next_pat (apc=0x7fffffffe080, stop_at_last=0)
> at fileio.c:9525
> #6 0x00000000004bff4a in apply_autocmds_group (event=EVENT_VIMENTER,
> fname=0xb93d50 "", fname_io=0x0, force=0, group=-3, buf=0x8a1990, eap=0x0) at
> fileio.c:9358
> #7 0x00000000004bf860 in apply_autocmds (event=EVENT_VIMENTER, fname=0x0,
> fname_io=0x0, force=0, buf=0x8a1990) at fileio.c:8994
> #8 0x00000000004dc1dc in main (argc=6, argv=0x7fffffffe438) at main.c:903
>
> valgrind.log
> 3KViewDownload
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
