Dominique Pelle wrote: > Ingo Karkat <[email protected]> wrote: > > > Hello Vim developers, > > > > I recently started using latest Vim builds with the new NFA-engine > > enabled, and I immediately noticed discrepancies when using my personal > > fork of the popular snipMate plugin > > (https://github.com/inkarkat/snipMate.vim). I've reduced the problem to > > the following scriptlet (also attached as snipMate-re-bug.vim): > > > > #v+ > > fun! Unescape(text, what) > > return substitute(a:text, '\%(\%(^\|[^\\]\)\%(\\\\\)*\\\)\@<!\\\ze' . > > a:what, '', 'g') > > endf > > > > echo substitute('${2}Maintainer: Foo Bar <${1:[email protected]}>${3}', > > '\%(\%(^\|[^\\]\)\%(\\\\\)*\\\)\@<!${\d\+:\(.\{-}\%(\%(^\|[^\\]\)\%(\\\\\)*\\\)\@<!\)}' > > , '\=submatch(0) . Unescape(submatch(1), "}")', 'g') > > #v- > > > > Steps to reproduce: > > $ vim -N -u NONE snipMate-re-bug.vim > > :so % > > This yields the wrong (unmodified): > > ,---- > > | ${2}Maintainer: Foo Bar <${1:[email protected]}>${3} > > `---- > > When I switch to the old regexp engine > > :set re=1 > > I get the expected, correct result: > > ,---- > > | ${2}Maintainer: Foo Bar <${1:[email protected]}[email protected]>${3} > > `---- > > > > Additionally, when I do > > :syntax on > > :so % > > I receive an out of memory error (most of the time): > > ,---- > > | Error detected while processing /tmp/snipMate-re-bug.vim: > > | line 5: > > | E342: Out of memory! (allocating 4270043459 bytes) > > | ${2}Maintainer: Foo Bar <${1:[email protected]}>${3} > > `---- > > > > This out of memory also happens when I use the full plugin normally. > > Very rarely, Vim crashes after the out of memory. > > > > This is with a huge build of Vim 7.3.1255, running in an Ubuntu 13.04 > > x64 VM. See attached version.log for more info. Let me know if you need > > more details. > > > Since 4270043459 is close to 2^32 = 4294967296, > it looks like vim is trying to allocate a negative number. > which is obviously a bug. Probaby something is uninitialized. > > I could not reproduce the crash you describe. > However, when running vim-7.3.1255 with: > > $ valgrind --log-file=vg.log \ > --num-callers=50 \ > --track-origins=yes \ > vim -N -u NONE snipMate-re-bug.vim > > I get the following error as soon as I do: :so % > > ==32418== Conditional jump or move depends on uninitialised value(s) > ==32418== at 0x545631: reg_submatch (regexp.c:7892) > ==32418== by 0x44DFAB: f_submatch (eval.c:17696) > ==32418== by 0x43F7EE: call_func (eval.c:8530) > ==32418== by 0x43F248: get_func_tv (eval.c:8343) > ==32418== by 0x43AA9A: eval7 (eval.c:5153) > ==32418== by 0x43A341: eval6 (eval.c:4805) > ==32418== by 0x439EB0: eval5 (eval.c:4621) > ==32418== by 0x4392AF: eval4 (eval.c:4314) > ==32418== by 0x4390FC: eval3 (eval.c:4226) > ==32418== by 0x438F7B: eval2 (eval.c:4155) > ==32418== by 0x438DBA: eval1 (eval.c:4080) > ==32418== by 0x43F1AC: get_func_tv (eval.c:8328) > ==32418== by 0x43AA9A: eval7 (eval.c:5153) > ==32418== by 0x43A341: eval6 (eval.c:4805) > ==32418== by 0x439F8C: eval5 (eval.c:4657) > ==32418== by 0x4392AF: eval4 (eval.c:4314) > ==32418== by 0x4390FC: eval3 (eval.c:4226) > ==32418== by 0x438F7B: eval2 (eval.c:4155) > ==32418== by 0x438DBA: eval1 (eval.c:4080) > ==32418== by 0x438D19: eval0 (eval.c:4037) > ==32418== by 0x433D69: eval_to_string (eval.c:1348) > ==32418== by 0x5448F5: vim_regsub_both (regexp.c:7482) > ==32418== by 0x5446A6: vim_regsub (regexp.c:7383) > ==32418== by 0x45A424: do_string_sub (eval.c:24286) > ==32418== by 0x44E0AB: f_substitute (eval.c:17720) > ==32418== by 0x43F7EE: call_func (eval.c:8530) > ==32418== by 0x43F248: get_func_tv (eval.c:8343) > ==32418== by 0x43AA9A: eval7 (eval.c:5153) > ==32418== by 0x43A341: eval6 (eval.c:4805) > ==32418== by 0x439EB0: eval5 (eval.c:4621) > ==32418== by 0x4392AF: eval4 (eval.c:4314) > ==32418== by 0x4390FC: eval3 (eval.c:4226) > ==32418== by 0x438F7B: eval2 (eval.c:4155) > ==32418== by 0x438DBA: eval1 (eval.c:4080) > ==32418== by 0x45324C: ex_echo (eval.c:20858) > ==32418== by 0x47217C: do_one_cmd (ex_docmd.c:2689) > ==32418== by 0x46F710: do_cmdline (ex_docmd.c:1127) > ==32418== by 0x46D428: do_source (ex_cmds2.c:3300) > ==32418== by 0x46CB56: cmd_source (ex_cmds2.c:2909) > ==32418== by 0x46CAA3: ex_source (ex_cmds2.c:2882) > ==32418== by 0x47217C: do_one_cmd (ex_docmd.c:2689) > ==32418== by 0x46F710: do_cmdline (ex_docmd.c:1127) > ==32418== by 0x501DC2: nv_colon (normal.c:5457) > ==32418== by 0x4FA8BC: normal_cmd (normal.c:1200) > ==32418== by 0x5ED64E: main_loop (main.c:1329) > ==32418== by 0x5ECF97: main (main.c:1020) > ==32418== Uninitialised value was created by a heap allocation > ==32418== at 0x4C2C78F: malloc (vg_replace_malloc.c:270) > ==32418== by 0x4E795F: lalloc (misc2.c:929) > ==32418== by 0x54F2B7: nfa_regmatch (regexp_nfa.c:4957) > ==32418== by 0x5519F4: nfa_regtry (regexp_nfa.c:6214) > ==32418== by 0x552065: nfa_regexec_both (regexp_nfa.c:6398) > ==32418== by 0x552424: nfa_regexec_nl (regexp_nfa.c:6595) > ==32418== by 0x55268A: vim_regexec_nl (regexp.c:8067) > ==32418== by 0x45A5B4: do_string_sub (eval.c:24277) > ==32418== by 0x44E0AB: f_substitute (eval.c:17720) > ==32418== by 0x43F7EE: call_func (eval.c:8530) > ==32418== by 0x43F248: get_func_tv (eval.c:8343) > ==32418== by 0x43AA9A: eval7 (eval.c:5153) > ==32418== by 0x43A341: eval6 (eval.c:4805) > ==32418== by 0x439EB0: eval5 (eval.c:4621) > ==32418== by 0x4392AF: eval4 (eval.c:4314) > ==32418== by 0x4390FC: eval3 (eval.c:4226) > ==32418== by 0x438F7B: eval2 (eval.c:4155) > ==32418== by 0x438DBA: eval1 (eval.c:4080) > ==32418== by 0x45324C: ex_echo (eval.c:20858) > ==32418== by 0x47217C: do_one_cmd (ex_docmd.c:2689) > ==32418== by 0x46F710: do_cmdline (ex_docmd.c:1127) > ==32418== by 0x46D428: do_source (ex_cmds2.c:3300) > ==32418== by 0x46CB56: cmd_source (ex_cmds2.c:2909) > ==32418== by 0x46CAA3: ex_source (ex_cmds2.c:2882) > ==32418== by 0x47217C: do_one_cmd (ex_docmd.c:2689) > ==32418== by 0x46F710: do_cmdline (ex_docmd.c:1127) > ==32418== by 0x501DC2: nv_colon (normal.c:5457) > ==32418== by 0x4FA8BC: normal_cmd (normal.c:1200) > ==32418== by 0x5ED64E: main_loop (main.c:1329) > ==32418== by 0x5ECF97: main (main.c:1020) > > Code in regexp.c is: > > 7889 else > 7890 { > 7891 s = submatch_match->startp[no]; > !!7892 if (s == NULL || submatch_match->endp[no] == NULL) > 7893 retval = NULL; > 7894 else > 7895 retval = vim_strnsave(s, > (int)(submatch_match->endp[no] - s)); > 7896 } > > Putting printf, I can see that 's' and 'no' are initialized, > but submatch_match->endp[no] is not initialized.
I think I found a solution. I'll send out a patch. Please check that this fixes your problem. -- A real patriot is the fellow who gets a parking ticket and rejoices that the system works. /// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org /// -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
