On 28-Jun-2013 23:05 +0200, Bram Moolenaar wrote: > Dominique Pelle wrote: > >> Ingo Karkat <[email protected]> wrote: >> >>> Hello Vim developers, >>> >>> I recently started using latest Vim builds with the new NFA-engine >>> enabled, and I immediately noticed discrepancies when using my personal >>> fork of the popular snipMate plugin >>> (https://github.com/inkarkat/snipMate.vim). I've reduced the problem to >>> the following scriptlet (also attached as snipMate-re-bug.vim): >>> >>> #v+ >>> fun! Unescape(text, what) >>> return substitute(a:text, '\%(\%(^\|[^\\]\)\%(\\\\\)*\\\)\@<!\\\ze' . >>> a:what, '', 'g') >>> endf >>> >>> echo substitute('${2}Maintainer: Foo Bar <${1:[email protected]}>${3}', >>> '\%(\%(^\|[^\\]\)\%(\\\\\)*\\\)\@<!${\d\+:\(.\{-}\%(\%(^\|[^\\]\)\%(\\\\\)*\\\)\@<!\)}' >>> , '\=submatch(0) . Unescape(submatch(1), "}")', 'g') >>> #v- >>> >>> Steps to reproduce: >>> $ vim -N -u NONE snipMate-re-bug.vim >>> :so % >>> This yields the wrong (unmodified): >>> ,---- >>> | ${2}Maintainer: Foo Bar <${1:[email protected]}>${3} >>> `---- >>> When I switch to the old regexp engine >>> :set re=1 >>> I get the expected, correct result: >>> ,---- >>> | ${2}Maintainer: Foo Bar <${1:[email protected]}[email protected]>${3} >>> `---- >>> >>> Additionally, when I do >>> :syntax on >>> :so % >>> I receive an out of memory error (most of the time): >>> ,---- >>> | Error detected while processing /tmp/snipMate-re-bug.vim: >>> | line 5: >>> | E342: Out of memory! (allocating 4270043459 bytes) >>> | ${2}Maintainer: Foo Bar <${1:[email protected]}>${3} >>> `---- >>> >>> This out of memory also happens when I use the full plugin normally. >>> Very rarely, Vim crashes after the out of memory. >>> >>> This is with a huge build of Vim 7.3.1255, running in an Ubuntu 13.04 >>> x64 VM. See attached version.log for more info. Let me know if you need >>> more details. >> >> >> Since 4270043459 is close to 2^32 = 4294967296, >> it looks like vim is trying to allocate a negative number. >> which is obviously a bug. Probaby something is uninitialized. >> >> I could not reproduce the crash you describe. >> However, when running vim-7.3.1255 with: >> >> $ valgrind --log-file=vg.log \ >> --num-callers=50 \ >> --track-origins=yes \ >> vim -N -u NONE snipMate-re-bug.vim >> >> I get the following error as soon as I do: :so % >> >> ==32418== Conditional jump or move depends on uninitialised value(s) >> ==32418== at 0x545631: reg_submatch (regexp.c:7892) >> ==32418== by 0x44DFAB: f_submatch (eval.c:17696) >> ==32418== by 0x43F7EE: call_func (eval.c:8530) >> ==32418== by 0x43F248: get_func_tv (eval.c:8343) >> ==32418== by 0x43AA9A: eval7 (eval.c:5153) >> ==32418== by 0x43A341: eval6 (eval.c:4805) >> ==32418== by 0x439EB0: eval5 (eval.c:4621) >> ==32418== by 0x4392AF: eval4 (eval.c:4314) >> ==32418== by 0x4390FC: eval3 (eval.c:4226) >> ==32418== by 0x438F7B: eval2 (eval.c:4155) >> ==32418== by 0x438DBA: eval1 (eval.c:4080) >> ==32418== by 0x43F1AC: get_func_tv (eval.c:8328) >> ==32418== by 0x43AA9A: eval7 (eval.c:5153) >> ==32418== by 0x43A341: eval6 (eval.c:4805) >> ==32418== by 0x439F8C: eval5 (eval.c:4657) >> ==32418== by 0x4392AF: eval4 (eval.c:4314) >> ==32418== by 0x4390FC: eval3 (eval.c:4226) >> ==32418== by 0x438F7B: eval2 (eval.c:4155) >> ==32418== by 0x438DBA: eval1 (eval.c:4080) >> ==32418== by 0x438D19: eval0 (eval.c:4037) >> ==32418== by 0x433D69: eval_to_string (eval.c:1348) >> ==32418== by 0x5448F5: vim_regsub_both (regexp.c:7482) >> ==32418== by 0x5446A6: vim_regsub (regexp.c:7383) >> ==32418== by 0x45A424: do_string_sub (eval.c:24286) >> ==32418== by 0x44E0AB: f_substitute (eval.c:17720) >> ==32418== by 0x43F7EE: call_func (eval.c:8530) >> ==32418== by 0x43F248: get_func_tv (eval.c:8343) >> ==32418== by 0x43AA9A: eval7 (eval.c:5153) >> ==32418== by 0x43A341: eval6 (eval.c:4805) >> ==32418== by 0x439EB0: eval5 (eval.c:4621) >> ==32418== by 0x4392AF: eval4 (eval.c:4314) >> ==32418== by 0x4390FC: eval3 (eval.c:4226) >> ==32418== by 0x438F7B: eval2 (eval.c:4155) >> ==32418== by 0x438DBA: eval1 (eval.c:4080) >> ==32418== by 0x45324C: ex_echo (eval.c:20858) >> ==32418== by 0x47217C: do_one_cmd (ex_docmd.c:2689) >> ==32418== by 0x46F710: do_cmdline (ex_docmd.c:1127) >> ==32418== by 0x46D428: do_source (ex_cmds2.c:3300) >> ==32418== by 0x46CB56: cmd_source (ex_cmds2.c:2909) >> ==32418== by 0x46CAA3: ex_source (ex_cmds2.c:2882) >> ==32418== by 0x47217C: do_one_cmd (ex_docmd.c:2689) >> ==32418== by 0x46F710: do_cmdline (ex_docmd.c:1127) >> ==32418== by 0x501DC2: nv_colon (normal.c:5457) >> ==32418== by 0x4FA8BC: normal_cmd (normal.c:1200) >> ==32418== by 0x5ED64E: main_loop (main.c:1329) >> ==32418== by 0x5ECF97: main (main.c:1020) >> ==32418== Uninitialised value was created by a heap allocation >> ==32418== at 0x4C2C78F: malloc (vg_replace_malloc.c:270) >> ==32418== by 0x4E795F: lalloc (misc2.c:929) >> ==32418== by 0x54F2B7: nfa_regmatch (regexp_nfa.c:4957) >> ==32418== by 0x5519F4: nfa_regtry (regexp_nfa.c:6214) >> ==32418== by 0x552065: nfa_regexec_both (regexp_nfa.c:6398) >> ==32418== by 0x552424: nfa_regexec_nl (regexp_nfa.c:6595) >> ==32418== by 0x55268A: vim_regexec_nl (regexp.c:8067) >> ==32418== by 0x45A5B4: do_string_sub (eval.c:24277) >> ==32418== by 0x44E0AB: f_substitute (eval.c:17720) >> ==32418== by 0x43F7EE: call_func (eval.c:8530) >> ==32418== by 0x43F248: get_func_tv (eval.c:8343) >> ==32418== by 0x43AA9A: eval7 (eval.c:5153) >> ==32418== by 0x43A341: eval6 (eval.c:4805) >> ==32418== by 0x439EB0: eval5 (eval.c:4621) >> ==32418== by 0x4392AF: eval4 (eval.c:4314) >> ==32418== by 0x4390FC: eval3 (eval.c:4226) >> ==32418== by 0x438F7B: eval2 (eval.c:4155) >> ==32418== by 0x438DBA: eval1 (eval.c:4080) >> ==32418== by 0x45324C: ex_echo (eval.c:20858) >> ==32418== by 0x47217C: do_one_cmd (ex_docmd.c:2689) >> ==32418== by 0x46F710: do_cmdline (ex_docmd.c:1127) >> ==32418== by 0x46D428: do_source (ex_cmds2.c:3300) >> ==32418== by 0x46CB56: cmd_source (ex_cmds2.c:2909) >> ==32418== by 0x46CAA3: ex_source (ex_cmds2.c:2882) >> ==32418== by 0x47217C: do_one_cmd (ex_docmd.c:2689) >> ==32418== by 0x46F710: do_cmdline (ex_docmd.c:1127) >> ==32418== by 0x501DC2: nv_colon (normal.c:5457) >> ==32418== by 0x4FA8BC: normal_cmd (normal.c:1200) >> ==32418== by 0x5ED64E: main_loop (main.c:1329) >> ==32418== by 0x5ECF97: main (main.c:1020) >> >> Code in regexp.c is: >> >> 7889 else >> 7890 { >> 7891 s = submatch_match->startp[no]; >> !!7892 if (s == NULL || submatch_match->endp[no] == NULL) >> 7893 retval = NULL; >> 7894 else >> 7895 retval = vim_strnsave(s, >> (int)(submatch_match->endp[no] - s)); >> 7896 } >> >> Putting printf, I can see that 's' and 'no' are initialized, >> but submatch_match->endp[no] is not initialized. > > I think I found a solution. I'll send out a patch. Please check that > this fixes your problem.
Yes, patch 7.3.1258 does fix the problem. Thank you! -- regards, ingo -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
