I believe I've got a patch for this (see below).
First, if you look at the stacktrace in some detail in gdb, you'll see
that this error occurs while matching regexp ".*" against the current
filename ("" in this case) during autocmd execution. The crash occurs
because in line 4730, 'next' is null. In line 3888, 'next' is the
result of calling regnext(). regnext() returns NULL because global
variable reg_toolong is TRUE. But of course the pattern ".*" is not
too long - instead, this is left over from the evaluation of the
previous very long regexp ("a\|a\|a...").
This confusion occurs because regnext() is used both in compilation
and evaluation of regexes. Its behaviour of returning NULL if
reg_toolong is TRUE really only makes sense during compilation. The
easiest way to fix it is to just set reg_toolong to FALSE before
starting regexp evaluation, as in my patch. (It can only ever be set
to TRUE during the compilation phase.)
Carlo
diff --git a/src/regexp.c b/src/regexp.c
--- a/src/regexp.c
+++ b/src/regexp.c
@@ -3339,6 +3339,7 @@ vim_regexec(rmp, line, col)
reg_maxline = 0;
reg_line_lbr = FALSE;
reg_win = NULL;
+ reg_toolong = FALSE;
ireg_ic = rmp->rm_ic;
#ifdef FEAT_MBYTE
ireg_icombine = FALSE;
@@ -3363,6 +3364,7 @@ vim_regexec_nl(rmp, line, col)
reg_maxline = 0;
reg_line_lbr = TRUE;
reg_win = NULL;
+ reg_toolong = FALSE;
ireg_ic = rmp->rm_ic;
#ifdef FEAT_MBYTE
ireg_icombine = FALSE;
@@ -3399,6 +3401,7 @@ vim_regexec_multi(rmp, win, buf, lnum, c
reg_firstlnum = lnum;
reg_maxline = reg_buf->b_ml.ml_line_count - lnum;
reg_line_lbr = FALSE;
+ reg_toolong = FALSE;
ireg_ic = rmp->rmm_ic;
#ifdef FEAT_MBYTE
ireg_icombine = FALSE;
On 11 Sep, 17:09, Carlo <carlo.teub...@gmail.com> wrote:
> On Sep 5, 3:33 am, Peter Odding <pe...@peterodding.com> wrote:
>
> > The regex is a 77 KB monstrosity that's supposed to match a predefined
> > set of strings in 2html.vim output and is complicated by the fact that
> > it also matches strings with embedded HTML tags. The regex is corrupt
> > because of a bug in my plug-in; I forgot to escape special characters
> > like [.
>
> I can reproduce this crash with a much simpler, valid, regex:
>
> $ vim -Ngfu NONE --noplugin -c "execute '/' . repeat('a\|', 9000) .
> 'a'"
> Vim: Caught deadly signal SEGV
>
> On my machine, it crashes with 9000 but not with 8000 repetitions.
>
> > I'm also attaching a backtrace from GDB and the output of Valgrind,
> > which tell me that Vim crashes because of a NULL pointer dereference at
> > regexp.c:4730 in the latest Vim 7.3 source. I've tried reasoning about
> > this but regmatch() is far too complex for my comprehension at the
> > moment :-)
>
> My backtrace is exactly the same:
>
> (gdb) bt
> #0 0x000000000055a545 in regmatch (scan=0x953cba "\003") at regexp.c:
> 4730
> #1 0x0000000000557dd5 in regtry (prog=0x953ca0, col=0) at regexp.c:
> 3711
> #2 0x0000000000557b9c in vim_regexec_both (line=0xabe7c0 "", col=0,
> tm=0x0) at regexp.c:3600
> #3 0x00000000005574c7 in vim_regexec (rmp=0x7fffffffdd00,
> line=0xabe7c0 "", col=0) at regexp.c:3347
> #4 0x00000000004b85cd in match_file_pat (pattern=0x0, prog=0x953ca0,
> fname=0xabe7c0 "", sfname=0x0, tail=
> 0xabe7c0 "", allow_dirs=0) at fileio.c:10003
> #5 0x00000000004b7bd2 in auto_next_pat (apc=0x7fffffffde50,
> stop_at_last=0) at fileio.c:9525
> #6 0x00000000004b77d8 in apply_autocmds_group (event=EVENT_VIMENTER,
> fname=0xabe7c0 "", fname_io=0x0, force=0,
> group=-3, buf=0x88c150, eap=0x0) at fileio.c:9358
> #7 0x00000000004b7108 in apply_autocmds (event=EVENT_VIMENTER,
> fname=0x0, fname_io=0x0, force=0, buf=0x88c150)
> at fileio.c:8994
> #8 0x00000000004d3973 in main (argc=6, argv=0x7fffffffe1e8) at main.c:
> 903
>
> Carlo
>
> (I attempted to post this message earlier but it somehow didn't make
> it through)
>
>
>
> > - Peter Odding
>
> > [crash.vim5K ]function! s:VimCrashOnRegexEval(tags)
> > let patterns = []
> > let short = s:IgnoreHTML('s') . s:IgnoreHTML(':')
> > let long = s:IgnoreHTML('<') . s:IgnoreHTML('[Ss][Ii][Dd]') .
> > s:IgnoreHTML('>')
> > let prefix = '\%(' . short . '\|' . long . '\)'
> > for name in a:tags
> > let tokens = [prefix]
> > for token in split(name, '\...@=\|\W\@<=')
> > " The bug in my original code was that I didn't escape special
> > pattern characters in
> > " {token} before adding it to {tokens}, but that doesn't mean Vim
> > should crash :-(
> > call add(tokens, s:IgnoreHTML(token))
> > endfor
> > call add(patterns, join(tokens, ''))
> > endfor
> > execute '/' . escape(join(patterns, '\|'), '~/')
> > endfunction
>
> > function! s:IgnoreHTML(s)
> > return printf('\%%(<[^/][^>]*>%s</[^>]\+>\|%s\)', a:s, a:s)
> > endfunction
>
> > call s:VimCrashOnRegexEval(['s:msg', 'g:loaded_publish', 'foreach_window',
> > 's:ei_save',
> > \ 's:loaded_scripts', 'tex_fold_enabled', 'g:timer_verbosity', '<Tab>',
> > 'reload_colors',
> > \ 'b:luainspect_syntax_error', 'g:easytags_resolve_links', 's:hif_save',
> > 'unresolve_scriptname',
> > \ 'g:easytags_always_enabled', '<Home>', 'session#get_names',
> > 's:directory', 'session#save_cmd',
> > \ 's:stal_save', 'session#auto_dirty_check', 'persist_special_windows',
> > '<C-Down>',
> > \ 'b:luainspect_input', 'ignore_html', 's:ctags_filetypes',
> > 'session#close_cmd', 's:object_methods',
> > \ 'xolox#timer#stop', 'easytags#highlight', 'g:session_autoload',
> > 'g:publish_omit_dothtml',
> > \ 'save_plugin_window', 'netrw_hide', 'prep_cmdline', 's:cached_contents',
> > 'g:lua_inspect_internal',
> > \ 'java_allow_cpp_keywords', 'open_at_cursor', 'luainspect#make_request',
> > 'library_call',
> > \ 'xolox#debug', 'publish#run_rsync', 'easytags#get_tagsfile', 's:script',
> > 'session#auto_load',
> > \ 'g:reload_on_write', 'easytags#read_tagsfile', 'publish#html_encode',
> > '<Left>', 's:tagged_files',
> > \ 'easytags#update', 'xolox#path#absolute', 'easytags#map_filetypes',
> > 'rename_variable',
> > \ 'publish#rsync_check', 'tex_flavor', '<Right>', 's:lock_files',
> > 's:library_version', '<F11>',
> > \ 'g:html_ignore_folding', 's:has_reltime', 'g:html_number_lines',
> > 'g:easytags_on_cursorhold',
> > \ 'save_qflist', 'g:easytags_autorecurse', 'find_tagged_files',
> > 's:changed_path', 's:enoimpl',
> > \ 'escape_tags', 'g:loaded_session', 'xolox#timer#start', 'get_name',
> > 'g:easytags_ignored_filetypes',
> > \ 'xolox#shell#open_cmd', 'xolox#quote_pattern', 'xolox#shell#execute',
> > 'convert_value',
> > \ 'xolox#unique', 'session#path_to_name', '<Esc>[A', 'session#open_cmd',
> > 'python_highlight_all',
> > \ '<A-Right>', 's:files_to_publish', 'define_default_styles',
> > 's:supported_filetypes',
> > \ 'xolox#option#join', 's:loclist_to_window', 'session#delete_cmd',
> > '<Esc>[23~', 'session#save_state',
> > \ '<Del>', 'vimsyn_noerror', 'publish#find_tags', 'reload_indent',
> > 'xolox#shell#open_with',
> > \ 's:cached_filenames', 'xolox#reload#script', 'g:easytags_ctags_version',
> > 'g:html_use_css',
> > \ 'clear_previous_matches', 'is_windows', 'session#save_colors',
> > 'select_name',
> > \ 's:reload_script_active', 'session_is_locked', 'session#auto_unlock',
> > 'set_tagged_files',
> > \ 'publish#create_subst_cmd', 'jump_to_window', 's:smd_save',
> > 'g:xolox_message_buffer',
> > \ 'xolox#option#split_tags', 'g:easytags_cmd', 'xolox#path#equals',
> > '<C-Up>', 'xolox#path#join',
> > \ 'xolox#warning', 's:hnl_save', 's:mls_save', 's:reloading_buffers',
> > 's:aliases',
> > \ 'xolox#shell#fullscreen', 's:vim_filetypes', 'b:luainspect_warnings',
> > 'cache_tagged_files',
> > \ 'easytags#autoload', 's:fullscreen_enabled', 'session#save_session',
> > '<A-Left>', 'xolox#message',
> > \ 's:units', 'session#restart_cmd', 'g:timer_enabled', 's:contact',
> > 'easytags#define_tagkind',
> > \ 'xolox#path#decode', '***', 'handle_error', 'reload_ftplugin',
> > 'g:lua_inspect_warnings',
> > \ 's:session_is_dirty', 'xolox#shell#open_url', 'parse_scriptnames',
> > 'session#save_features',
> > \ 'check_output', 'session#complete_names', '<C-S-PageUp>',
> > 'xolox#path#relative', '<F3>',
> > \ 'b:easytags_last_highlighted', 'reload_message', 'update_warnings',
> > 's:canonical_aliases',
> > \ 'reload_plugin', 's:go_toggled', 'publish#customize_html',
> > 'g:shell_open_cmds', 'check_cfile',
> > \ 'run_ctags', '<C-S-PageDown>', 'g:loaded_luainspect',
> > 'xolox#timer#format_timespan',
> > \ 'luainspect#highlight_cmd', 'xolox#reload#open_readonly',
> > 'easytags#to_ctags_ft', 'pattern_to_lnum',
> > \ 'unlock_session', 'c_syntax_for_h', 'g:shell_fullscreen_items',
> > 's:current_source_directory',
> > \ 'publish#create_dirs', 'reload_autoload', 'prepare_search_path',
> > 's:viml_sl_prefix', 's:ruler_save',
> > \ 'is_bash', 'xolox#reload#windows', 'g:loaded_pyref', 's:cpo_save',
> > 'has_dll', 'xolox#path#tempdir',
> > \ 'g:lua_inspect_events', 's:auto_reload_active',
> > 'xolox#option#join_tags', 'highlight_variables',
> > \ 'xolox#escape#pattern', 'easytags#file_has_tags', 'check_filetype',
> > 's:scripttypes',
> > \ 'script_sourced', 'b:luainspect_disabled', 'luainspect#auto_enable',
> > '<c-]>', '<F5>',
> > \ 'session#view_cmd', 'xolox#path#commonprefix',
> > 'g:easytags_include_members', 'g:session_autosave',
> > \ 'lock_session', 's:more_save', 's:huc_save', 'easytags#alias_filetypes',
> > 'g:pyref_browser',
> > \ 'g:publish_viml_sl_hack', 's:tempdir_counter',
> > 'easytags#supported_filetypes',
> > \ 'easytags#add_tagged_file', 'unescape_tags', 'filter_merge_tags',
> > 'b:luainspect_output',
> > \ 'g:xolox_messages', 'xolox#shell#highlight_urls', 'session#auto_save',
> > 'find_dll_version',
> > \ 's:window_to_info', 'b:easytags_nohl', 'easytags#write_tagsfile',
> > 'g:loaded_easytags',
> > \ 'reload_buffers', '<F6>', 'reload_syntax', 'xolox#shell#is_fullscreen',
> > 'publish#prep_env',
> > \ 's:groups', '<BS>', 'highlight_position', 's:tagkinds',
> > 's:cached_layouts', 's:saved_qflist',
> > \ 'session#name_to_path', 'balloon_syntax', 'parse_text',
> > 'xolox#path#merge', 'g:pyref_mapping',
> > \ 'publish#resolve_files', 'session#save_fullscreen',
> > 'g:shell_mappings_enabled', 'xolox#path#encode',
> > \ 'reload_window', 'clear_message', 'xolox#escape#substitute',
> > 'easytags#to_vim_ft',
> > \ 'xolox#option#split', 's:tags_to_publish', '...',
> > 's:windows_compatible', 'g:publish_plaintext',
> > \ 'foreach_tabpage', 'xolox#shell#build_cmd', 'session#save_qflist',
> > 'xolox#path#split'])
>
> > [gdb.txt1K ]pe...@laptop> gdb --args /usr/local/bin/gvim -fu NONE
> > --noplugin -NS crash.vim
> > GNU gdb (GDB) 7.0-ubuntu
> > Copyright (C) 2009 Free Software Foundation, Inc.
> > License GPLv3+: GNU GPL version 3 or later
> > <http://gnu.org/licenses/gpl.html>
> > This is free software: you are free to change and redistribute it.
> > There is NO WARRANTY, to the extent permitted by law. Type "show copying"
> > and "show warranty" for details.
> > This GDB was configured as "x86_64-linux-gnu".
> > For bug reporting instructions, please see:
> > <http://www.gnu.org/software/gdb/bugs/>...
> > Reading symbols from /usr/local/bin/gvim...done.
> > (gdb) r
> > Starting program: /usr/local/bin/gvim -fu NONE --noplugin -NS crash.vim
> > [Thread debugging using libthread_db enabled]
>
> > (gvim:4029): GLib-WARNING **: g_set_prgname() called multiple times
>
> > Program received signal SIGSEGV, Segmentation fault.
> > 0x0000000000564107 in regmatch (scan=0x97743a "\003") at regexp.c:4730
> > 4730 if (OP(next) != BRANCH) /* No choice. */
> > (gdb) where
> > #0 0x0000000000564107 in regmatch (scan=0x97743a "\003") at regexp.c:4730
> > #1 0x0000000000561c50 in regtry (prog=0x977420, col=0) at regexp.c:3711
> > #2 0x0000000000561a17 in vim_regexec_both (line=0xb93d50 "", col=0,
> > tm=0x0) at regexp.c:3600
> > #3 0x0000000000561342 in vim_regexec (rmp=0x7fffffffdf30, line=0xb93d50
> > "", col=0) at regexp.c:3347
> > #4 0x00000000004c0d5d in match_file_pat (pattern=0x0,
>
> ...
>
> read more »
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
