[bug] vim-7.4.2311 crashes with deleted augroup, regression introduced by vim-7.4.2117

Dominique Pellé Fri, 02 Sep 2016 21:06:07 -0700

Hi

afl-fuzz found another crash in Vim-7.4.2311 and older:


$ cat crash.vim
augroup x
augroup! x
au VimEnter * echo
au VimEnter

$ vim -u NONE -S crash.vim
Vim: Caught deadly signal SEGV
Vim: Finished.
Segmentation fault (core dumped)

program received signal SIGSEGV, Segmentation fault.
0x000000000062cc86 in msg_puts_display (str=0x0, maxlen=-1, attr=0,
recurse=0) at message.c:1937
(gdb) bt
#0  0x000000000062cc86 in msg_puts_display (str=0x0, maxlen=-1,
attr=0, recurse=0) at message.c:1937
#1  0x000000000062c5a3 in msg_puts_attr_len (str=0x0, maxlen=-1,
attr=0) at message.c:1910
#2  0x000000000062c4e7 in msg_puts_attr (s=0x0, attr=0) at message.c:1861
#3  0x00000000004ab567 in show_autocmd (ap=0x932700,
event=EVENT_VIMENTER) at fileio.c:7816
#4  0x00000000004ac7a5 in do_autocmd_event (event=EVENT_VIMENTER,
pat=0x931f8b "", nested=0, cmd=0x931f8b "", forceit=0
, group=-3) at fileio.c:8529
#5  0x00000000004ac570 in do_autocmd (arg_in=0x931f83 "VimEnter",
forceit=0) at fileio.c:8440
#6  0x0000000000480ca1 in ex_autocmd (eap=0x7fffffffcae0) at ex_docmd.c:5488
#7  0x000000000047bdc7 in do_one_cmd (cmdlinep=0x7fffffffccf0,
sourcing=1, cstack=0x7fffffffcde0, fgetline=0x4769a3 <ge
tsourceline>, cookie=0x7fffffffd340) at ex_docmd.c:2967
#8  0x0000000000478823 in do_cmdline (cmdline=0x931e70 "augroup x",
fgetline=0x4769a3 <getsourceline>, cookie=0x7ffffff
fd340, flags=7) at ex_docmd.c:1110
#9  0x000000000047659d in do_source (fname=0x931c13 "c.vim",
check_other=0, is_vimrc=0) at ex_cmds2.c:4097
#10 0x0000000000475baf in cmd_source (fname=0x931c13 "c.vim",
eap=0x7fffffffd550) at ex_cmds2.c:3710
#11 0x0000000000475afd in ex_source (eap=0x7fffffffd550) at ex_cmds2.c:3685
#12 0x000000000047bdc7 in do_one_cmd (cmdlinep=0x7fffffffd760,
sourcing=1, cstack=0x7fffffffd850, fgetline=0x0, cookie=
0x0) at ex_docmd.c:2967
#13 0x0000000000478823 in do_cmdline (cmdline=0x8eb7e0 "so c.vim",
fgetline=0x0, cookie=0x0, flags=11) at ex_docmd.c:11
10
#14 0x0000000000477e5f in do_cmdline_cmd (cmd=0x8eb7e0 "so c.vim") at
ex_docmd.c:715
#15 0x0000000000625ac1 in exe_commands (parmp=0x8ce200 <params>) at main.c:2896
#16 0x0000000000622bee in vim_main2 () at main.c:781
#17 0x00000000006224ef in main (argc=6, argv=0x7fffffffdea8) at main.c:415

1917│     static void
1918│ msg_puts_display(
1919│     char_u      *str,
1920│     int         maxlen,
1921│     int         attr,
1922│     int         recurse)
1923│ {
1924│     char_u      *s = str;
1925│     char_u      *t_s = str;     /* string from "t_s" to "s" is
still todo */
1926│     int         t_col = 0;      /* screen cells todo, 0 when
"t_s" not used */
1927│ #ifdef FEAT_MBYTE
1928│     int         l;
1929│     int         cw;
1930│ #endif
1931│     char_u      *sb_str = str;
1932│     int         sb_col = msg_col;
1933│     int         wrap;
1934│     int         did_last_char;
1935│
1936│     did_wait_return = FALSE;
1937├>    while ((maxlen < 0 || (int)(s - str) < maxlen) && *s != NUL)
1938│     {

(gdb) p s
$1 = (char_u *) 0x0

#1  0x000000000064ac7f in msg_puts_attr_len (str=0x0, maxlen=-1,
attr=0) at message.c:1910
(gdb) up
#2  0x000000000064abc3 in msg_puts_attr (s=0x0, attr=0) at message.c:1861
(gdb) up
#3  0x00000000004b145d in show_autocmd (ap=0x959780,
event=EVENT_VIMENTER) at fileio.c:7816

7815│             if (AUGROUP_NAME(ap->group) == NULL)
7816├>                msg_puts_attr(deleted_augroup, hl_attr(HLF_E));
7817│             else
7818│                 msg_puts_attr(AUGROUP_NAME(ap->group), hl_attr(HLF_T));

(gdb) p deleted_augroup
$2 = (char_u *) 0x0

It does not crash using vim-7.4.752 that comes with xubuntu-15.10
so it's a regression.

git bisect identified that it started to crash in Vim-7.4.2117:

===
f2c4c391192cab6e923b1a418d4af09106fba25f is the first bad commit
commit f2c4c391192cab6e923b1a418d4af09106fba25f
Author: Bram Moolenaar <[email protected]>
Date:   Fri Jul 29 20:50:24 2016 +0200

    patch 7.4.2117
    Problem:    Deleting an augroup that still has autocmds does not give a
                warning.  The next defined augroup takes its place.
    Solution:   Give a warning and prevent the index being used for
another group
                name.
===

Regards
Dominique

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

[bug] vim-7.4.2311 crashes with deleted augroup, regression introduced by vim-7.4.2117

Raspunde prin e-mail lui