Hi
Valgrind detects use of uninitialized memory when doing:
$ valgrind --track-origins=yes \
vim -u NONE -c '/\(\&\|\1\)\(x\)' 2> vg.log
Vim gives:
Error detected while processing /home/pel/sb/vim/src/undef.vim:
line 1:
E486: Pattern not found: \(\&\|\1\)\(x\)
Press ENTER or type command to continue
I would expect Vim to detect an invalid back reference here
instead of saying "Pattern not found". And valgrind log file
vg.log shows access to uninitialized memory:
==6067== Memcheck, a memory error detector
==6067== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==6067== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info
==6067== Command: ./vim -u NONE -c /\\(\\&\\|\\1\\)\\(x\\)
==6067==
==6067== Conditional jump or move depends on uninitialised value(s)
==6067== at 0x5010C6: sub_equal (regexp_nfa.c:4027)
==6067== by 0x5029F7: has_state_with_pos.isra.16 (regexp_nfa.c:4109)
==6067== by 0x502C2B: addstate (regexp_nfa.c:4379)
==6067== by 0x502E03: addstate (regexp_nfa.c:4547)
==6067== by 0x502ED3: addstate (regexp_nfa.c:4651)
==6067== by 0x5032B2: addstate_here (regexp_nfa.c:4692)
==6067== by 0x51890E: nfa_regmatch (regexp_nfa.c:6699)
==6067== by 0x51AB3F: nfa_regtry (regexp_nfa.c:6893)
==6067== by 0x51AF62: nfa_regexec_both (regexp_nfa.c:7084)
==6067== by 0x51E9A8: vim_regexec_multi (regexp.c:8276)
==6067== by 0x53184B: searchit (search.c:714)
==6067== by 0x532725: do_search (search.c:1432)
==6067== Uninitialised value was created by a heap allocation
==6067== at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6067== by 0x4C0B2A: lalloc (misc2.c:921)
==6067== by 0x518391: nfa_regmatch (regexp_nfa.c:5473)
==6067== by 0x51AB3F: nfa_regtry (regexp_nfa.c:6893)
==6067== by 0x51AF62: nfa_regexec_both (regexp_nfa.c:7084)
==6067== by 0x51E9A8: vim_regexec_multi (regexp.c:8276)
==6067== by 0x53184B: searchit (search.c:714)
==6067== by 0x532725: do_search (search.c:1432)
==6067== by 0x45E401: get_address (ex_docmd.c:4508)
==6067== by 0x46613F: do_cmdline (ex_docmd.c:2183)
==6067== by 0x409464: main (main.c:2926)
.... snip more errors after that....
Code in regexp_nfa.c:4027 where error is detected:
3986 static int
3987 sub_equal(sub1, sub2)
3988 regsub_T *sub1;
3989 regsub_T *sub2;
3990 {
....
4026 s2 = -1;
!!4027 if (s1 != s2)
4028 return FALSE;
4029 if (s1 != -1 && sub1->list.multi[i].end_col
4030 !=
sub2->list.multi[i].end_col)
4031 return FALSE;
Adding some printf(), I can see that neither s1 nor s2
are initialized at line 4027.
Valgrind does not complain when using the old regexp engine (re=1)
with the same regexp:
$ valgrind --track-origins=yes \
vim -c 'set re=1' -u NONE -c '/\(\&\|\1\)\(x\)' 2> vg.log
With the old regexp engine, vim properly detects the invalid
regexp saying:
Error detected while processing /home/pel/sb/vim/src/undef.vim:
line 1:
E65: Illegal back reference
The bug was found using afl-fuzz. I don't know how to fix it.
Regards
Dominique
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
