On Sat, Jul 18, 2015 at 1:13 PM, h_east <[email protected]> wrote:
> Hi Dominique,
>
> 2015-7-18(Sat) 14:40:28 UTC+9 Dominique Pelle:
>> h_east wrote:
>>
>> > Hi Dominique!
>> >
>> > 2015-7-18(Sat) 9:38:45 UTC+9 Dominique Pelle:
>> >> Bram Moolenaar <[email protected]> wrote:
>> >>
>> >> > Patch 7.4.786
>> >> > Problem: It is not possible for a plugin to adjust to a changed
>> >> > setting.
>> >> > Solution: Add the OptionSet autocommand event. (Christian Brabandt)
>> >>
>> >> Hi
>> >>
>> >> This patch causes use of freed memory when running test10.
>> >>
>> >> changeset 6935:4db70c94226b -> crash in test 10 with asan
>> >> changeset 6934:be7bd53ad376 -> no crash
>>
>> ....snip...
>>
>> > Could you try attached patch?
>> >
>> > --
>> > Best regards,
>> > Hirohito Higashi (a.k.a h_east)
>>
>> Hi Hirohito
>>
>> test10 still crashes after your patch, but the stack is then
>> different after your patch:
> ..snip..
>
> Thanks for confirming my patch!
> # My environment does not crash in original 7.4.786. (fedora 20 64bit)
>
> I update a patch.
> Attached new patch and valgrind.test10.
>
> valgrind.test10 seem to say that it error yet...
> Excuse me. Could you try again this patch?
>
> Thanks.
> --
> Best regards,
> Hirohito Higashi (a.k.a h_east)
Hi Hirohito,
I still see another use-after-free bug when running
all tests after applying latest patch. It happens in test78:
=================================================================
==15757==ERROR: AddressSanitizer: heap-use-after-free on address
0x602000109af0 at pc 0x0000004da587 bp 0x7ffe37307070 sp
0x7ffe37306828
READ of size 2 at 0x602000109af0 thread T0
#0 0x4da586 in strlen ??:?
#1 0xc94c39 in vim_strsave /home/pel/sb/vim/src/misc2.c:1245
#2 0x672be9 in set_vim_var_string /home/pel/sb/vim/src/eval.c:20566
#3 0xea78f3 in set_string_option /home/pel/sb/vim/src/option.c:5742
#4 0xe543f0 in set_option_value /home/pel/sb/vim/src/option.c:9264
#5 0xb4b8d1 in ml_recover /home/pel/sb/vim/src/memline.c:1468
#6 0x8e25a8 in ex_recover /home/pel/sb/vim/src/ex_docmd.c:7945
#7 0x88e0d0 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2940
#8 0x877452 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
#9 0xd96e94 in nv_colon /home/pel/sb/vim/src/normal.c:5405
#10 0xd4c127 in normal_cmd /home/pel/sb/vim/src/normal.c:1162
#11 0x15ab12d in main_loop /home/pel/sb/vim/src/main.c:1351
#12 0x1598cca in main /home/pel/sb/vim/src/main.c:1050
#13 0x2ac7c10dbec4 in __libc_start_main
/build/buildd/eglibc-2.19/csu/libc-start.c:287
#14 0x465d46 in _start ??:?
0x602000109af1 is located 0 bytes to the right of 1-byte region
[0x602000109af0,0x602000109af1)
freed by thread T0 here:
#0 0x4eca32 in free ??:?
#1 0xc94a66 in vim_free /home/pel/sb/vim/src/misc2.c:1707
#2 0xe8efd3 in did_set_string_option /home/pel/sb/vim/src/option.c:6085
#3 0xea76d2 in set_string_option /home/pel/sb/vim/src/option.c:5731
#4 0xe543f0 in set_option_value /home/pel/sb/vim/src/option.c:9264
#5 0xb4b8d1 in ml_recover /home/pel/sb/vim/src/memline.c:1468
#6 0x8e25a8 in ex_recover /home/pel/sb/vim/src/ex_docmd.c:7945
#7 0x88e0d0 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2940
#8 0x877452 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
#9 0xd96e94 in nv_colon /home/pel/sb/vim/src/normal.c:5405
#10 0xd4c127 in normal_cmd /home/pel/sb/vim/src/normal.c:1162
#11 0x15ab12d in main_loop /home/pel/sb/vim/src/main.c:1351
#12 0x1598cca in main /home/pel/sb/vim/src/main.c:1050
#13 0x2ac7c10dbec4 in __libc_start_main
/build/buildd/eglibc-2.19/csu/libc-start.c:287
previously allocated by thread T0 here:
#0 0x4ecd12 in __interceptor_malloc ??:?
#1 0xc928c2 in lalloc /home/pel/sb/vim/src/misc2.c:921
#2 0xc9252b in alloc /home/pel/sb/vim/src/misc2.c:820
#3 0xc94c9c in vim_strsave /home/pel/sb/vim/src/misc2.c:1246
#4 0xea6fdc in set_string_option /home/pel/sb/vim/src/option.c:5712
#5 0xe543f0 in set_option_value /home/pel/sb/vim/src/option.c:9264
#6 0xb4b8d1 in ml_recover /home/pel/sb/vim/src/memline.c:1468
#7 0x8e25a8 in ex_recover /home/pel/sb/vim/src/ex_docmd.c:7945
#8 0x88e0d0 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2940
#9 0x877452 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
#10 0xd96e94 in nv_colon /home/pel/sb/vim/src/normal.c:5405
#11 0xd4c127 in normal_cmd /home/pel/sb/vim/src/normal.c:1162
#12 0x15ab12d in main_loop /home/pel/sb/vim/src/main.c:1351
#13 0x1598cca in main /home/pel/sb/vim/src/main.c:1050
#14 0x2ac7c10dbec4 in __libc_start_main
/build/buildd/eglibc-2.19/csu/libc-start.c:287
Shadow bytes around the buggy address:
0x0c0480019300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480019310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480019320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480019330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0480019340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0480019350: fa fa fa fa fa fa 03 fa fa fa 01 fa fa fa[fd]fa
0x0c0480019360: fa fa 05 fa fa fa fd fa fa fa fd fa fa fa 01 fa
0x0c0480019370: fa fa 00 fa fa fa 04 fa fa fa 00 03 fa fa 00 03
0x0c0480019380: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480019390: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c04800193a0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==15757==ABORTING
Aborted (core dumped)
Regards
Dominique
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
