Hi Dominique! 2015-7-18(Sat) 9:38:45 UTC+9 Dominique Pelle: > Bram Moolenaar <[email protected]> wrote: > > > Patch 7.4.786 > > Problem: It is not possible for a plugin to adjust to a changed setting. > > Solution: Add the OptionSet autocommand event. (Christian Brabandt) > > Hi > > This patch causes use of freed memory when running test10. > > changeset 6935:4db70c94226b -> crash in test 10 with asan > changeset 6934:be7bd53ad376 -> no crash > > The address sanitizer reports: > > ================================================================= > ==10070==ERROR: AddressSanitizer: heap-use-after-free on address > 0x602000017610 at pc 0x0000004da587 bp 0x7ffdb0d2ac70 sp > 0x7ffdb0d2a428 > READ of size 2 at 0x602000017610 thread T0 > #0 0x4da586 in strlen ??:? > #1 0xc94c39 in vim_strsave /home/pel/sb/vim/src/misc2.c:1245 > #2 0x672be9 in set_vim_var_string /home/pel/sb/vim/src/eval.c:20566 > #3 0xe72b8a in do_set /home/pel/sb/vim/src/option.c:4946 > #4 0x8e6e2e in ex_set /home/pel/sb/vim/src/ex_docmd.c:12007 > #5 0x88e0d0 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2940 > #6 0x877452 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133 > #7 0xd96e94 in nv_colon /home/pel/sb/vim/src/normal.c:5405 > #8 0xd4c127 in normal_cmd /home/pel/sb/vim/src/normal.c:1162 > #9 0x15ab0fd in main_loop /home/pel/sb/vim/src/main.c:1351 > #10 0x1598c9a in main /home/pel/sb/vim/src/main.c:1050 > #11 0x2ba029e92ec4 in __libc_start_main > /build/buildd/eglibc-2.19/csu/libc-start.c:287 > #12 0x465d46 in _start ??:? > > 0x602000017610 is located 0 bytes inside of 6-byte region > [0x602000017610,0x602000017616) > freed by thread T0 here: > #0 0x4eca32 in free ??:? > #1 0xc94a66 in vim_free /home/pel/sb/vim/src/misc2.c:1707 > #2 0xe8efa3 in did_set_string_option /home/pel/sb/vim/src/option.c:6084 > #3 0xe72a17 in do_set /home/pel/sb/vim/src/option.c:4933 > #4 0x8e6e2e in ex_set /home/pel/sb/vim/src/ex_docmd.c:12007 > #5 0x88e0d0 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2940 > #6 0x877452 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133 > #7 0xd96e94 in nv_colon /home/pel/sb/vim/src/normal.c:5405 > #8 0xd4c127 in normal_cmd /home/pel/sb/vim/src/normal.c:1162 > #9 0x15ab0fd in main_loop /home/pel/sb/vim/src/main.c:1351 > #10 0x1598c9a in main /home/pel/sb/vim/src/main.c:1050 > #11 0x2ba029e92ec4 in __libc_start_main > /build/buildd/eglibc-2.19/csu/libc-start.c:287 > > previously allocated by thread T0 here: > #0 0x4ecd12 in __interceptor_malloc ??:? > #1 0xc928c2 in lalloc /home/pel/sb/vim/src/misc2.c:921 > #2 0xc9252b in alloc /home/pel/sb/vim/src/misc2.c:820 > #3 0xe6f167 in do_set /home/pel/sb/vim/src/option.c:4749 > #4 0x8e6e2e in ex_set /home/pel/sb/vim/src/ex_docmd.c:12007 > #5 0x88e0d0 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2940 > #6 0x877452 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133 > #7 0xd96e94 in nv_colon /home/pel/sb/vim/src/normal.c:5405 > #8 0xd4c127 in normal_cmd /home/pel/sb/vim/src/normal.c:1162 > #9 0x15ab0fd in main_loop /home/pel/sb/vim/src/main.c:1351 > #10 0x1598c9a in main /home/pel/sb/vim/src/main.c:1050 > #11 0x2ba029e92ec4 in __libc_start_main > /build/buildd/eglibc-2.19/csu/libc-start.c:287 > > Shadow bytes around the buggy address: > 0x0c047fffae70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c047fffae80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c047fffae90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c047fffaea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c047fffaeb0: fa fa fa fa fa fa fa fa fa fa 00 fa fa fa 06 fa > =>0x0c047fffaec0: fa fa[fd]fa fa fa 02 fa fa fa 00 05 fa fa fd fa > 0x0c047fffaed0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa > 0x0c047fffaee0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa > 0x0c047fffaef0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa > 0x0c047fffaf00: fa fa 05 fa fa fa 05 fa fa fa fd fa fa fa fd fa > 0x0c047fffaf10: fa fa fd fd fa fa fd fa fa fa fd fa fa fa 00 fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > ==10070==ABORTING > Aborted (core dumped) > > > 4931 /* Handle side effects, and set the > global value for > 4932 * ":set" on local options. */ > !!4933 errmsg = did_set_string_option(opt_idx, > (char_u **)varp, > 4934 new_value_alloced, oldval, > errbuf, opt_flags); > 4935 > 4936 /* If error detected, print the error message. > */ > 4937 if (errmsg != NULL) > 4938 goto skip; > 4939 #if defined(FEAT_AUTOCMD) && defined(FEAT_EVAL) > 4940 if (saved_origval != NULL) > 4941 { > 4942 char_u buf_type[7]; > 4943 > 4944 sprintf((char *)buf_type, "%s", > 4945 (opt_flags & OPT_LOCAL) ? > "local" : "global"); > !!4946 set_vim_var_string(VV_OPTION_NEW, > newval, -1); > > Memory us freed at options.c:4933 and used later at options.c:4946
Could you try attached patch? -- Best regards, Hirohito Higashi (a.k.a h_east) -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
diff --git a/src/option.c b/src/option.c --- a/src/option.c +++ b/src/option.c @@ -4943,7 +4943,8 @@ sprintf((char *)buf_type, "%s", (opt_flags & OPT_LOCAL) ? "local" : "global"); - set_vim_var_string(VV_OPTION_NEW, newval, -1); + set_vim_var_string(VV_OPTION_NEW, + *(char_u **)(varp), -1); set_vim_var_string(VV_OPTION_OLD, saved_origval, -1); set_vim_var_string(VV_OPTION_TYPE, buf_type, -1); apply_autocmds(EVENT_OPTIONSET,
