Re: NFA-regexp problem in Vim 7.3.1255

Dominique Pellé Fri, 28 Jun 2013 10:39:14 -0700

Ingo Karkat <[email protected]> wrote:

> Hello Vim developers,
>
> I recently started using latest Vim builds with the new NFA-engine
> enabled, and I immediately noticed discrepancies when using my personal
> fork of the popular snipMate plugin
> (https://github.com/inkarkat/snipMate.vim). I've reduced the problem to
> the following scriptlet (also attached as snipMate-re-bug.vim):
>
> #v+
> fun! Unescape(text, what)
>     return substitute(a:text, '\%(\%(^\|[^\\]\)\%(\\\\\)*\\\)\@<!\\\ze' . 
> a:what, '', 'g')
> endf
>
> echo substitute('${2}Maintainer:        Foo Bar <${1:[email protected]}>${3}', 
> '\%(\%(^\|[^\\]\)\%(\\\\\)*\\\)\@<!${\d\+:\(.\{-}\%(\%(^\|[^\\]\)\%(\\\\\)*\\\)\@<!\)}'
>  , '\=submatch(0) . Unescape(submatch(1), "}")', 'g')
> #v-
>
> Steps to reproduce:
>     $ vim -N -u NONE snipMate-re-bug.vim
>     :so %
> This yields the wrong (unmodified):
> ,----
> | ${2}Maintainer: Foo Bar <${1:[email protected]}>${3}
> `----
> When I switch to the old regexp engine
>     :set re=1
> I get the expected, correct result:
> ,----
> | ${2}Maintainer: Foo Bar <${1:[email protected]}[email protected]>${3}
> `----
>
> Additionally, when I do
>     :syntax on
>     :so %
> I receive an out of memory error (most of the time):
> ,----
> | Error detected while processing /tmp/snipMate-re-bug.vim:
> | line    5:
> | E342: Out of memory!  (allocating 4270043459 bytes)
> | ${2}Maintainer: Foo Bar <${1:[email protected]}>${3}
> `----
>
> This out of memory also happens when I use the full plugin normally.
> Very rarely, Vim crashes after the out of memory.
>
> This is with a huge build of Vim 7.3.1255, running in an Ubuntu 13.04
> x64 VM. See attached version.log for more info. Let me know if you need
> more details.



Since 4270043459 is close to 2^32 = 4294967296,
it looks like vim is trying to allocate a negative number.
which is obviously a bug. Probaby something is uninitialized.

I could not reproduce the crash you describe.
However, when running vim-7.3.1255 with:

$ valgrind --log-file=vg.log \
  --num-callers=50 \
  --track-origins=yes \
  vim -N -u NONE snipMate-re-bug.vim

I get the following error as soon as I do:   :so %

==32418== Conditional jump or move depends on uninitialised value(s)
==32418==    at 0x545631: reg_submatch (regexp.c:7892)
==32418==    by 0x44DFAB: f_submatch (eval.c:17696)
==32418==    by 0x43F7EE: call_func (eval.c:8530)
==32418==    by 0x43F248: get_func_tv (eval.c:8343)
==32418==    by 0x43AA9A: eval7 (eval.c:5153)
==32418==    by 0x43A341: eval6 (eval.c:4805)
==32418==    by 0x439EB0: eval5 (eval.c:4621)
==32418==    by 0x4392AF: eval4 (eval.c:4314)
==32418==    by 0x4390FC: eval3 (eval.c:4226)
==32418==    by 0x438F7B: eval2 (eval.c:4155)
==32418==    by 0x438DBA: eval1 (eval.c:4080)
==32418==    by 0x43F1AC: get_func_tv (eval.c:8328)
==32418==    by 0x43AA9A: eval7 (eval.c:5153)
==32418==    by 0x43A341: eval6 (eval.c:4805)
==32418==    by 0x439F8C: eval5 (eval.c:4657)
==32418==    by 0x4392AF: eval4 (eval.c:4314)
==32418==    by 0x4390FC: eval3 (eval.c:4226)
==32418==    by 0x438F7B: eval2 (eval.c:4155)
==32418==    by 0x438DBA: eval1 (eval.c:4080)
==32418==    by 0x438D19: eval0 (eval.c:4037)
==32418==    by 0x433D69: eval_to_string (eval.c:1348)
==32418==    by 0x5448F5: vim_regsub_both (regexp.c:7482)
==32418==    by 0x5446A6: vim_regsub (regexp.c:7383)
==32418==    by 0x45A424: do_string_sub (eval.c:24286)
==32418==    by 0x44E0AB: f_substitute (eval.c:17720)
==32418==    by 0x43F7EE: call_func (eval.c:8530)
==32418==    by 0x43F248: get_func_tv (eval.c:8343)
==32418==    by 0x43AA9A: eval7 (eval.c:5153)
==32418==    by 0x43A341: eval6 (eval.c:4805)
==32418==    by 0x439EB0: eval5 (eval.c:4621)
==32418==    by 0x4392AF: eval4 (eval.c:4314)
==32418==    by 0x4390FC: eval3 (eval.c:4226)
==32418==    by 0x438F7B: eval2 (eval.c:4155)
==32418==    by 0x438DBA: eval1 (eval.c:4080)
==32418==    by 0x45324C: ex_echo (eval.c:20858)
==32418==    by 0x47217C: do_one_cmd (ex_docmd.c:2689)
==32418==    by 0x46F710: do_cmdline (ex_docmd.c:1127)
==32418==    by 0x46D428: do_source (ex_cmds2.c:3300)
==32418==    by 0x46CB56: cmd_source (ex_cmds2.c:2909)
==32418==    by 0x46CAA3: ex_source (ex_cmds2.c:2882)
==32418==    by 0x47217C: do_one_cmd (ex_docmd.c:2689)
==32418==    by 0x46F710: do_cmdline (ex_docmd.c:1127)
==32418==    by 0x501DC2: nv_colon (normal.c:5457)
==32418==    by 0x4FA8BC: normal_cmd (normal.c:1200)
==32418==    by 0x5ED64E: main_loop (main.c:1329)
==32418==    by 0x5ECF97: main (main.c:1020)
==32418==  Uninitialised value was created by a heap allocation
==32418==    at 0x4C2C78F: malloc (vg_replace_malloc.c:270)
==32418==    by 0x4E795F: lalloc (misc2.c:929)
==32418==    by 0x54F2B7: nfa_regmatch (regexp_nfa.c:4957)
==32418==    by 0x5519F4: nfa_regtry (regexp_nfa.c:6214)
==32418==    by 0x552065: nfa_regexec_both (regexp_nfa.c:6398)
==32418==    by 0x552424: nfa_regexec_nl (regexp_nfa.c:6595)
==32418==    by 0x55268A: vim_regexec_nl (regexp.c:8067)
==32418==    by 0x45A5B4: do_string_sub (eval.c:24277)
==32418==    by 0x44E0AB: f_substitute (eval.c:17720)
==32418==    by 0x43F7EE: call_func (eval.c:8530)
==32418==    by 0x43F248: get_func_tv (eval.c:8343)
==32418==    by 0x43AA9A: eval7 (eval.c:5153)
==32418==    by 0x43A341: eval6 (eval.c:4805)
==32418==    by 0x439EB0: eval5 (eval.c:4621)
==32418==    by 0x4392AF: eval4 (eval.c:4314)
==32418==    by 0x4390FC: eval3 (eval.c:4226)
==32418==    by 0x438F7B: eval2 (eval.c:4155)
==32418==    by 0x438DBA: eval1 (eval.c:4080)
==32418==    by 0x45324C: ex_echo (eval.c:20858)
==32418==    by 0x47217C: do_one_cmd (ex_docmd.c:2689)
==32418==    by 0x46F710: do_cmdline (ex_docmd.c:1127)
==32418==    by 0x46D428: do_source (ex_cmds2.c:3300)
==32418==    by 0x46CB56: cmd_source (ex_cmds2.c:2909)
==32418==    by 0x46CAA3: ex_source (ex_cmds2.c:2882)
==32418==    by 0x47217C: do_one_cmd (ex_docmd.c:2689)
==32418==    by 0x46F710: do_cmdline (ex_docmd.c:1127)
==32418==    by 0x501DC2: nv_colon (normal.c:5457)
==32418==    by 0x4FA8BC: normal_cmd (normal.c:1200)
==32418==    by 0x5ED64E: main_loop (main.c:1329)
==32418==    by 0x5ECF97: main (main.c:1020)

Code in regexp.c is:

  7889     else
  7890     {
  7891         s = submatch_match->startp[no];
!!7892         if (s == NULL || submatch_match->endp[no] == NULL)
  7893             retval = NULL;
  7894         else
  7895             retval = vim_strnsave(s,
(int)(submatch_match->endp[no] - s));
  7896     }

Putting printf, I can see that 's' and 'no' are initialized,
but submatch_match->endp[no] is not initialized.

Dominique

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Re: NFA-regexp problem in Vim 7.3.1255

Raspunde prin e-mail lui