Re: New regexp crash with ft=html

Mon, 20 May 2013 06:20:43 -0700 

On 20/05/2013 12:37, Bram Moolenaar wrote:


Charles Peacech wrote:


On Mon, May 20, 2013 at 5:28 PM, Charles <[email protected]> wrote:

Hi,

In my gvim, the new regexp engine crash gvim for this regexp

0x02a60c72 "htmlSpecialChar "&#\=[0-9A-Za-z]\{1,8};""

The crash happens here

/*
  * Allocate and initialize nfa_state_T.
  */
     static nfa_state_T *
new_state(c, out, out1)
     int         c;
     nfa_state_T *out;
     nfa_state_T *out1;
{
     nfa_state_T *s;

     if (istate >= nstate)
         return NULL;

     s = &state_ptr[istate++];

     s->c    = c;
     s->out  = out;
     s->out1 = out1; // <----- Access violation here, probably because
s points to foreign memory

     s->id   = istate;
     s->lastlist = 0;
     s->lastthread = NULL;
     s->visits = 0;
     s->negated = FALSE;

     return s;
}



It seems to be that the cause is insufficient initial size here

line 232:
/* A reasonable estimation for size */
     nstate_max = (STRLEN(expr) + 1) * NFA_POSTFIX_MULTIPLIER;

When it crashed, it's trying to access member no. 714 while the
currently allocated array is only 631.


Yes, increasing the size works around the problem.

However, there is a check for the pointer not to go beyond the end:

#define EMIT(c) do {                            \
                    if (post_ptr >= post_end)        \
                        return FAIL;            \
                    *post_ptr++ = c;            \
                } while (0)

For some reason that is not working. Ah, it's adding the byte size to
the int pointer, that's wrong.  Patch coming up...



It is non-portable code.  It is not defined know when the post increment 
is done, it could be before or after the assignment of c.  I assume the 
intent is that the post increment is done after the assignment so it 
should be broken into two as follows:


  *post_ptr = c; \
  post_ptr++;    \

TTFN

Mike
--
Make your mark in this world or at least spray in each corner.

--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php


--- 
You received this message because you are subscribed to the Google Groups "vim_dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
























					Raspunde prin e-mail lui