Bram Moolenaar <[email protected]> wrote:
> Patch 7.4.786
> Problem: It is not possible for a plugin to adjust to a changed setting.
> Solution: Add the OptionSet autocommand event. (Christian Brabandt)
Hi
This patch causes use of freed memory when running test10.
changeset 6935:4db70c94226b -> crash in test 10 with asan
changeset 6934:be7bd53ad376 -> no crash
The address sanitizer reports:
=================================================================
==10070==ERROR: AddressSanitizer: heap-use-after-free on address
0x602000017610 at pc 0x0000004da587 bp 0x7ffdb0d2ac70 sp
0x7ffdb0d2a428
READ of size 2 at 0x602000017610 thread T0
#0 0x4da586 in strlen ??:?
#1 0xc94c39 in vim_strsave /home/pel/sb/vim/src/misc2.c:1245
#2 0x672be9 in set_vim_var_string /home/pel/sb/vim/src/eval.c:20566
#3 0xe72b8a in do_set /home/pel/sb/vim/src/option.c:4946
#4 0x8e6e2e in ex_set /home/pel/sb/vim/src/ex_docmd.c:12007
#5 0x88e0d0 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2940
#6 0x877452 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
#7 0xd96e94 in nv_colon /home/pel/sb/vim/src/normal.c:5405
#8 0xd4c127 in normal_cmd /home/pel/sb/vim/src/normal.c:1162
#9 0x15ab0fd in main_loop /home/pel/sb/vim/src/main.c:1351
#10 0x1598c9a in main /home/pel/sb/vim/src/main.c:1050
#11 0x2ba029e92ec4 in __libc_start_main
/build/buildd/eglibc-2.19/csu/libc-start.c:287
#12 0x465d46 in _start ??:?
0x602000017610 is located 0 bytes inside of 6-byte region
[0x602000017610,0x602000017616)
freed by thread T0 here:
#0 0x4eca32 in free ??:?
#1 0xc94a66 in vim_free /home/pel/sb/vim/src/misc2.c:1707
#2 0xe8efa3 in did_set_string_option /home/pel/sb/vim/src/option.c:6084
#3 0xe72a17 in do_set /home/pel/sb/vim/src/option.c:4933
#4 0x8e6e2e in ex_set /home/pel/sb/vim/src/ex_docmd.c:12007
#5 0x88e0d0 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2940
#6 0x877452 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
#7 0xd96e94 in nv_colon /home/pel/sb/vim/src/normal.c:5405
#8 0xd4c127 in normal_cmd /home/pel/sb/vim/src/normal.c:1162
#9 0x15ab0fd in main_loop /home/pel/sb/vim/src/main.c:1351
#10 0x1598c9a in main /home/pel/sb/vim/src/main.c:1050
#11 0x2ba029e92ec4 in __libc_start_main
/build/buildd/eglibc-2.19/csu/libc-start.c:287
previously allocated by thread T0 here:
#0 0x4ecd12 in __interceptor_malloc ??:?
#1 0xc928c2 in lalloc /home/pel/sb/vim/src/misc2.c:921
#2 0xc9252b in alloc /home/pel/sb/vim/src/misc2.c:820
#3 0xe6f167 in do_set /home/pel/sb/vim/src/option.c:4749
#4 0x8e6e2e in ex_set /home/pel/sb/vim/src/ex_docmd.c:12007
#5 0x88e0d0 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2940
#6 0x877452 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
#7 0xd96e94 in nv_colon /home/pel/sb/vim/src/normal.c:5405
#8 0xd4c127 in normal_cmd /home/pel/sb/vim/src/normal.c:1162
#9 0x15ab0fd in main_loop /home/pel/sb/vim/src/main.c:1351
#10 0x1598c9a in main /home/pel/sb/vim/src/main.c:1050
#11 0x2ba029e92ec4 in __libc_start_main
/build/buildd/eglibc-2.19/csu/libc-start.c:287
Shadow bytes around the buggy address:
0x0c047fffae70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffae80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffae90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffaea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffaeb0: fa fa fa fa fa fa fa fa fa fa 00 fa fa fa 06 fa
=>0x0c047fffaec0: fa fa[fd]fa fa fa 02 fa fa fa 00 05 fa fa fd fa
0x0c047fffaed0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
0x0c047fffaee0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fffaef0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
0x0c047fffaf00: fa fa 05 fa fa fa 05 fa fa fa fd fa fa fa fd fa
0x0c047fffaf10: fa fa fd fd fa fa fd fa fa fa fd fa fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==10070==ABORTING
Aborted (core dumped)
4931 /* Handle side effects, and set the
global value for
4932 * ":set" on local options. */
!!4933 errmsg = did_set_string_option(opt_idx,
(char_u **)varp,
4934 new_value_alloced, oldval,
errbuf, opt_flags);
4935
4936 /* If error detected, print the error message. */
4937 if (errmsg != NULL)
4938 goto skip;
4939 #if defined(FEAT_AUTOCMD) && defined(FEAT_EVAL)
4940 if (saved_origval != NULL)
4941 {
4942 char_u buf_type[7];
4943
4944 sprintf((char *)buf_type, "%s",
4945 (opt_flags & OPT_LOCAL) ?
"local" : "global");
!!4946 set_vim_var_string(VV_OPTION_NEW,
newval, -1);
Memory us freed at options.c:4933 and used later at options.c:4946
Dominique
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
