Dominique wrote:
> afl-fuzz found another crash in Vim-7.4.2311 and older:
>
> $ cat crash.vim
> augroup x
> augroup! x
> au VimEnter * echo
> au VimEnter
>
> $ vim -u NONE -S crash.vim
> Vim: Caught deadly signal SEGV
> Vim: Finished.
> Segmentation fault (core dumped)
>
> program received signal SIGSEGV, Segmentation fault.
> 0x000000000062cc86 in msg_puts_display (str=0x0, maxlen=-1, attr=0,
> recurse=0) at message.c:1937
> (gdb) bt
> #0 0x000000000062cc86 in msg_puts_display (str=0x0, maxlen=-1,
> attr=0, recurse=0) at message.c:1937
> #1 0x000000000062c5a3 in msg_puts_attr_len (str=0x0, maxlen=-1,
> attr=0) at message.c:1910
> #2 0x000000000062c4e7 in msg_puts_attr (s=0x0, attr=0) at message.c:1861
> #3 0x00000000004ab567 in show_autocmd (ap=0x932700,
> event=EVENT_VIMENTER) at fileio.c:7816
> #4 0x00000000004ac7a5 in do_autocmd_event (event=EVENT_VIMENTER,
> pat=0x931f8b "", nested=0, cmd=0x931f8b "", forceit=0
> , group=-3) at fileio.c:8529
> #5 0x00000000004ac570 in do_autocmd (arg_in=0x931f83 "VimEnter",
> forceit=0) at fileio.c:8440
> #6 0x0000000000480ca1 in ex_autocmd (eap=0x7fffffffcae0) at ex_docmd.c:5488
> #7 0x000000000047bdc7 in do_one_cmd (cmdlinep=0x7fffffffccf0,
> sourcing=1, cstack=0x7fffffffcde0, fgetline=0x4769a3 <ge
> tsourceline>, cookie=0x7fffffffd340) at ex_docmd.c:2967
> #8 0x0000000000478823 in do_cmdline (cmdline=0x931e70 "augroup x",
> fgetline=0x4769a3 <getsourceline>, cookie=0x7ffffff
> fd340, flags=7) at ex_docmd.c:1110
> #9 0x000000000047659d in do_source (fname=0x931c13 "c.vim",
> check_other=0, is_vimrc=0) at ex_cmds2.c:4097
> #10 0x0000000000475baf in cmd_source (fname=0x931c13 "c.vim",
> eap=0x7fffffffd550) at ex_cmds2.c:3710
> #11 0x0000000000475afd in ex_source (eap=0x7fffffffd550) at ex_cmds2.c:3685
> #12 0x000000000047bdc7 in do_one_cmd (cmdlinep=0x7fffffffd760,
> sourcing=1, cstack=0x7fffffffd850, fgetline=0x0, cookie=
> 0x0) at ex_docmd.c:2967
> #13 0x0000000000478823 in do_cmdline (cmdline=0x8eb7e0 "so c.vim",
> fgetline=0x0, cookie=0x0, flags=11) at ex_docmd.c:11
> 10
> #14 0x0000000000477e5f in do_cmdline_cmd (cmd=0x8eb7e0 "so c.vim") at
> ex_docmd.c:715
> #15 0x0000000000625ac1 in exe_commands (parmp=0x8ce200 <params>) at
> main.c:2896
> #16 0x0000000000622bee in vim_main2 () at main.c:781
> #17 0x00000000006224ef in main (argc=6, argv=0x7fffffffdea8) at main.c:415
>
> 1917│ static void
> 1918│ msg_puts_display(
> 1919│ char_u *str,
> 1920│ int maxlen,
> 1921│ int attr,
> 1922│ int recurse)
> 1923│ {
> 1924│ char_u *s = str;
> 1925│ char_u *t_s = str; /* string from "t_s" to "s" is
> still todo */
> 1926│ int t_col = 0; /* screen cells todo, 0 when
> "t_s" not used */
> 1927│ #ifdef FEAT_MBYTE
> 1928│ int l;
> 1929│ int cw;
> 1930│ #endif
> 1931│ char_u *sb_str = str;
> 1932│ int sb_col = msg_col;
> 1933│ int wrap;
> 1934│ int did_last_char;
> 1935│
> 1936│ did_wait_return = FALSE;
> 1937├> while ((maxlen < 0 || (int)(s - str) < maxlen) && *s != NUL)
> 1938│ {
>
> (gdb) p s
> $1 = (char_u *) 0x0
>
> #1 0x000000000064ac7f in msg_puts_attr_len (str=0x0, maxlen=-1,
> attr=0) at message.c:1910
> (gdb) up
> #2 0x000000000064abc3 in msg_puts_attr (s=0x0, attr=0) at message.c:1861
> (gdb) up
> #3 0x00000000004b145d in show_autocmd (ap=0x959780,
> event=EVENT_VIMENTER) at fileio.c:7816
>
> 7815│ if (AUGROUP_NAME(ap->group) == NULL)
> 7816├> msg_puts_attr(deleted_augroup, hl_attr(HLF_E));
> 7817│ else
> 7818│ msg_puts_attr(AUGROUP_NAME(ap->group), hl_attr(HLF_T));
>
> (gdb) p deleted_augroup
> $2 = (char_u *) 0x0
>
> It does not crash using vim-7.4.752 that comes with xubuntu-15.10
> so it's a regression.
>
> git bisect identified that it started to crash in Vim-7.4.2117:
>
> ===
> f2c4c391192cab6e923b1a418d4af09106fba25f is the first bad commit
> commit f2c4c391192cab6e923b1a418d4af09106fba25f
> Author: Bram Moolenaar <[email protected]>
> Date: Fri Jul 29 20:50:24 2016 +0200
>
> patch 7.4.2117
> Problem: Deleting an augroup that still has autocmds does not give a
> warning. The next defined augroup takes its place.
> Solution: Give a warning and prevent the index being used for
> another group
> name.
> ===
Thanks. Clearly using deleted_augroup this way was a bad idea.
Perhaps we should also disallow deleting an augroup while it's in use.
Can only be a mistake.
--
hundred-and-one symptoms of being an internet addict:
145. You e-mail your boss, informing him you'll be late.
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
