Crash if job is freed while in operator-pending mode

James McCoy Tue, 26 Apr 2016 20:04:12 -0700

Using the attached script with 7.4.1795, Vim reliably crashes when
freeing the job and operator-pending mode is active.


  $ vim -u NONE -N foo.vim
  :source %
  d
  " Wait for 10 seconds or so to ensure the job gets automatically freed
  <Esc>

GDB shows the stack at the time of the crash as:

    #0  0x00007fae83ddf7b7 in kill () at ../sysdeps/unix/syscall-template.S:84
    #1  0x00000000004f4343 in may_core_dump () at os_unix.c:3297
    #2  0x00000000004f5d13 in may_core_dump () at os_unix.c:3254
    #3  mch_exit (r=1) at os_unix.c:3263
    #4  <signal handler called>
    #5  channel_clear_one (channel=channel@entry=0x1233a30, part=part@entry=0) 
at channel.c:2536
    #6  0x000000000058517f in channel_clear (channel=channel@entry=0x1233a30) 
at channel.c:2570
    #7  0x0000000000586416 in channel_free_contents 
(channel=channel@entry=0x1233a30) at channel.c:379
    #8  0x0000000000586439 in channel_free (channel=0x1233a30) at channel.c:400
    #9  0x0000000000586475 in channel_free (channel=<optimized out>) at 
channel.c:420
    #10 channel_may_free (channel=<optimized out>) at channel.c:416
    #11 0x0000000000586515 in channel_unref (channel=<optimized out>) at 
channel.c:431
    #12 job_free_contents (job=job@entry=0x1233970) at channel.c:4051
    #13 0x00000000005865f9 in job_free (job=0x1233970) at channel.c:4077
    #14 job_status (job=0x1233970) at channel.c:4484
    #15 0x0000000000588c5d in job_status (job=<optimized out>) at channel.c:4242
    #16 job_check_ended () at channel.c:4243
    #17 0x00000000004c5acc in parse_queued_messages () at misc2.c:6245
    #18 0x00000000004f47fa in mch_inchar (buf=buf@entry=0x8158be 
<typebuf_init+62> "", maxlen=67, wtime=1000, tb_change_cnt=62) at os_unix.c:390
    #19 0x000000000056e0d3 in ui_inchar (buf=buf@entry=0x8158be 
<typebuf_init+62> "", maxlen=maxlen@entry=67, wtime=wtime@entry=1000, 
tb_change_cnt=tb_change_cnt@entry=62) at ui.c:195
    #20 0x000000000049050f in inchar (buf=0x8158be <typebuf_init+62> "", 
maxlen=202, wait_time=1000, tb_change_cnt=62) at getchar.c:3056
    #21 0x00000000004923c4 in vgetorpeek (advance=advance@entry=1) at 
getchar.c:2832
    #22 0x0000000000492c6a in vgetc () at getchar.c:1605
    #23 0x0000000000492fa9 in safe_vgetc () at getchar.c:1801
    #24 0x00000000004d9f76 in normal_cmd (oap=oap@entry=0x7ffd11d6b110, 
toplevel=toplevel@entry=1) at normal.c:627
    #25 0x000000000058ca07 in main_loop (cmdwin=cmdwin@entry=0, 
noexmode=noexmode@entry=0) at main.c:1359
    #26 0x0000000000407c1f in main (argc=<optimized out>, argv=<optimized out>) 
at main.c:1051

and for good measure, here's what ASAN says about it:

    =================================================================
    ==19891==ERROR: AddressSanitizer: heap-use-after-free on address 
0x618000009bb0 at pc 0x000001fc1075 bp 0x7ffc765884b0 sp 0x7ffc765884a8
    WRITE of size 8 at 0x618000009bb0 thread T0
        #0 0x1fc1074 in job_free_contents channel.c:?
        #1 0x1fc02b8 in job_free channel.c:?
        #2 0x1fc7187 in job_status ??:?
        #3 0x1fc5324 in job_check_ended ??:?
        #4 0x11cb90e in parse_queued_messages ??:?
        #5 0x152b2e7 in mch_inchar ??:?
        #6 0x1dbffcc in ui_inchar ??:?
        #7 0xe0482b in inchar ??:?
        #8 0xe37560 in vgetorpeek getchar.c:?
        #9 0xe1d50c in vgetc ??:?
        #10 0xe38d98 in safe_vgetc ??:?
        #11 0x127d572 in normal_cmd ??:?
        #12 0x2019284 in main_loop ??:?
        #13 0x1ffcbf0 in main ??:?
        #14 0x7f92758a860f in __libc_start_main ??:?
        #15 0x462f38 in _start ??:?

    0x618000009bb0 is located 816 bytes inside of 840-byte region 
[0x618000009880,0x618000009bc8)
    freed by thread T0 here:
        #0 0x4e9c22 in __interceptor_free ??:?
        #1 0x1170ea2 in vim_free ??:?
        #2 0x1f5f6ae in channel_free_channel channel.c:?
        #3 0x1f5eac4 in free_unused_channels ??:?
        #4 0x7c8eed in free_unref_items eval.c:?
        #5 0x747fc3 in garbage_collect ??:?
        #6 0xe1c808 in before_blocking ??:?
        #7 0x152b836 in mch_inchar ??:?
        #8 0x1dbffcc in ui_inchar ??:?
        #9 0xe0482b in inchar ??:?
        #10 0xe37560 in vgetorpeek getchar.c:?
        #11 0xe1d50c in vgetc ??:?
        #12 0xe38d98 in safe_vgetc ??:?
        #13 0x127d572 in normal_cmd ??:?
        #14 0x2019284 in main_loop ??:?
        #15 0x1ffcbf0 in main ??:?
        #16 0x7f92758a860f in __libc_start_main ??:?

    previously allocated by thread T0 here:
        #0 0x4e9f02 in malloc ??:?
        #1 0x116db6e in lalloc ??:?
        #2 0x116e8b2 in alloc_clear ??:?
        #3 0x1f5a0c9 in add_channel ??:?
        #4 0x15534bb in mch_start_job ??:?
        #5 0x1fcb493 in job_start ??:?
        #6 0x8c00d3 in f_job_start eval.c:?
        #7 0x77925f in call_func ??:?
        #8 0x79b347 in get_func_tv eval.c:?
        #9 0x790167 in ex_call ??:?
        #10 0xb1f48c in do_one_cmd ex_docmd.c:?
        #11 0xaf6041 in do_cmdline ??:?
        #12 0xadae2a in do_source ??:?
        #13 0xad4fef in cmd_source ex_cmds2.c:?
        #14 0xad52f2 in ex_source ??:?
        #15 0xb1f48c in do_one_cmd ex_docmd.c:?
        #16 0xaf6041 in do_cmdline ??:?
        #17 0x130eed5 in nv_colon normal.c:?
        #18 0x128d17f in normal_cmd ??:?
        #19 0x2019284 in main_loop ??:?
        #20 0x1ffcbf0 in main ??:?
        #21 0x7f92758a860f in __libc_start_main ??:?

    Shadow bytes around the buggy address:
      0x0c307fff9320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c307fff9330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c307fff9340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c307fff9350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c307fff9360: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    =>0x0c307fff9370: fd fd fd fd fd fd[fd]fd fd fa fa fa fa fa fa fa
      0x0c307fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c307fff9390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c307fff93a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c307fff93b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c307fff93c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==19891==ABORTING

Cheers,
-- 
James
GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy <james...@jamessan.com>

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

let jobber = {}
fun! jobber.out_cb(chan, msg)
    call append(line('$'), strftime('%c').' '.a:msg." out")
endfun
fun! jobber.exit_cb(id, rc)
  call append(line('$'), strftime('%c').' '.a:rc)
endfun
call job_start(['seq', '5000'], {'out_cb': jobber.out_cb, 'exit_cb': 
jobber.exit_cb})

Crash if job is freed while in operator-pending mode

Raspunde prin e-mail lui