[bug] heap-use-after-free when running tests from test_matchadd_conceal

Wed, 25 Oct 2017 12:40:07 -0700 

Hi

Running Vim tests with (vim-8.0.1216, latest in git) built
with asan aborts with this error:

Vim: Caught deadly signal ABRT_conceal_with_syntax_off()
Vim: preserving files...
Vim: Finished.

=================================================================
==9549==ERROR: AddressSanitizer: heap-use-after-free on address
0x62400027db70 at pc 0x000000a442fb bp 0x7fffb66e4700 sp
0x7fffb66e46f0
READ of size 8 at 0x62400027db70 thread T0
    #0 0xa442fa in syn_stack_find_entry /home/dope/sb/vim/src/syntax.c:1454
    #1 0xa46cb8 in syntax_end_parsing /home/dope/sb/vim/src/syntax.c:1715
    #2 0x93d0b2 in win_update /home/dope/sb/vim/src/screen.c:2178
    #3 0x930fa6 in update_screen /home/dope/sb/vim/src/screen.c:756
    #4 0x5cdca3 in ex_redraw /home/dope/sb/vim/src/ex_docmd.c:9721
    #5 0x599fce in do_one_cmd /home/dope/sb/vim/src/ex_docmd.c:2908
    #6 0x58c5fc in do_cmdline /home/dope/sb/vim/src/ex_docmd.c:1071
    #7 0xb0abd8 in call_user_func /home/dope/sb/vim/src/userfunc.c:942
    #8 0xb0e3c3 in call_func /home/dope/sb/vim/src/userfunc.c:1427
    #9 0xb07086 in get_func_tv /home/dope/sb/vim/src/userfunc.c:455
    #10 0xb1c74d in ex_call /home/dope/sb/vim/src/userfunc.c:3082
    #11 0x599fce in do_one_cmd /home/dope/sb/vim/src/ex_docmd.c:2908
    #12 0x58c5fc in do_cmdline /home/dope/sb/vim/src/ex_docmd.c:1071
    #13 0x4d8e8a in ex_execute /home/dope/sb/vim/src/eval.c:8344
    #14 0x599fce in do_one_cmd /home/dope/sb/vim/src/ex_docmd.c:2908
    #15 0x58c5fc in do_cmdline /home/dope/sb/vim/src/ex_docmd.c:1071
    #16 0xb0abd8 in call_user_func /home/dope/sb/vim/src/userfunc.c:942
    #17 0xb0e3c3 in call_func /home/dope/sb/vim/src/userfunc.c:1427
    #18 0xb07086 in get_func_tv /home/dope/sb/vim/src/userfunc.c:455
    #19 0xb1c74d in ex_call /home/dope/sb/vim/src/userfunc.c:3082
    #20 0x599fce in do_one_cmd /home/dope/sb/vim/src/ex_docmd.c:2908
    #21 0x58c5fc in do_cmdline /home/dope/sb/vim/src/ex_docmd.c:1071
    #22 0x584a8e in do_source /home/dope/sb/vim/src/ex_cmds2.c:4355
    #23 0x582f0d in cmd_source /home/dope/sb/vim/src/ex_cmds2.c:3968
    #24 0x582c35 in ex_source /home/dope/sb/vim/src/ex_cmds2.c:3943
    #25 0x599fce in do_one_cmd /home/dope/sb/vim/src/ex_docmd.c:2908
    #26 0x58c5fc in do_cmdline /home/dope/sb/vim/src/ex_docmd.c:1071
    #27 0x58aa8a in do_cmdline_cmd /home/dope/sb/vim/src/ex_docmd.c:671
    #28 0xc7d3bb in exe_commands /home/dope/sb/vim/src/main.c:2955
    #29 0xc72bf6 in vim_main2 /home/dope/sb/vim/src/main.c:800
    #30 0xc720d1 in main /home/dope/sb/vim/src/main.c:429
    #31 0x7f6da1b8882f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #32 0x412458 in _start (/home/dope/sb/vim/src/vim+0x412458)

0x62400027db70 is located 6768 bytes inside of 7224-byte region
[0x62400027c100,0x62400027dd38)
freed by thread T0 here:
    #0 0x7f6da6b84588 in free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde588)
    #1 0x75549a in vim_free /home/dope/sb/vim/src/misc2.c:1801
    #2 0x418585 in free_buffer /home/dope/sb/vim/src/buffer.c:883
    #3 0x4171e5 in close_buffer /home/dope/sb/vim/src/buffer.c:678
    #4 0x41b12e in do_buffer /home/dope/sb/vim/src/buffer.c:1462
    #5 0x419795 in do_bufdel /home/dope/sb/vim/src/buffer.c:1128
    #6 0x5afa23 in ex_bunload /home/dope/sb/vim/src/ex_docmd.c:5535
    #7 0x599fce in do_one_cmd /home/dope/sb/vim/src/ex_docmd.c:2908
    #8 0x58c5fc in do_cmdline /home/dope/sb/vim/src/ex_docmd.c:1071
    #9 0xb0abd8 in call_user_func /home/dope/sb/vim/src/userfunc.c:942
    #10 0xb0e3c3 in call_func /home/dope/sb/vim/src/userfunc.c:1427
    #11 0xb07086 in get_func_tv /home/dope/sb/vim/src/userfunc.c:455
    #12 0xb1c74d in ex_call /home/dope/sb/vim/src/userfunc.c:3082
    #13 0x599fce in do_one_cmd /home/dope/sb/vim/src/ex_docmd.c:2908
    #14 0x58c5fc in do_cmdline /home/dope/sb/vim/src/ex_docmd.c:1071
    #15 0x584a8e in do_source /home/dope/sb/vim/src/ex_cmds2.c:4355
    #16 0x582f0d in cmd_source /home/dope/sb/vim/src/ex_cmds2.c:3968
    #17 0x582c35 in ex_source /home/dope/sb/vim/src/ex_cmds2.c:3943
    #18 0x599fce in do_one_cmd /home/dope/sb/vim/src/ex_docmd.c:2908
    #19 0x58c5fc in do_cmdline /home/dope/sb/vim/src/ex_docmd.c:1071
    #20 0x58aa8a in do_cmdline_cmd /home/dope/sb/vim/src/ex_docmd.c:671
    #21 0xc7d3bb in exe_commands /home/dope/sb/vim/src/main.c:2955
    #22 0xc72bf6 in vim_main2 /home/dope/sb/vim/src/main.c:800
    #23 0xc720d1 in main /home/dope/sb/vim/src/main.c:429
    #24 0x7f6da1b8882f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7f6da6b84920 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde920)
    #1 0x752079 in lalloc /home/dope/sb/vim/src/misc2.c:954
    #2 0x751f42 in alloc_clear /home/dope/sb/vim/src/misc2.c:876
    #3 0x41e506 in buflist_new /home/dope/sb/vim/src/buffer.c:2001
    #4 0x548758 in do_ecmd /home/dope/sb/vim/src/ex_cmds.c:3846
    #5 0x5c581e in do_exedit /home/dope/sb/vim/src/ex_docmd.c:8637
    #6 0x5c293e in ex_splitview /home/dope/sb/vim/src/ex_docmd.c:8294
    #7 0x599fce in do_one_cmd /home/dope/sb/vim/src/ex_docmd.c:2908
    #8 0x58c5fc in do_cmdline /home/dope/sb/vim/src/ex_docmd.c:1071
    #9 0xb0abd8 in call_user_func /home/dope/sb/vim/src/userfunc.c:942
    #10 0xb0e3c3 in call_func /home/dope/sb/vim/src/userfunc.c:1427
    #11 0xb07086 in get_func_tv /home/dope/sb/vim/src/userfunc.c:455
    #12 0xb1c74d in ex_call /home/dope/sb/vim/src/userfunc.c:3082
    #13 0x599fce in do_one_cmd /home/dope/sb/vim/src/ex_docmd.c:2908
    #14 0x58c5fc in do_cmdline /home/dope/sb/vim/src/ex_docmd.c:1071
    #15 0x4d8e8a in ex_execute /home/dope/sb/vim/src/eval.c:8344
    #16 0x599fce in do_one_cmd /home/dope/sb/vim/src/ex_docmd.c:2908
    #17 0x58c5fc in do_cmdline /home/dope/sb/vim/src/ex_docmd.c:1071
    #18 0xb0abd8 in call_user_func /home/dope/sb/vim/src/userfunc.c:942
    #19 0xb0e3c3 in call_func /home/dope/sb/vim/src/userfunc.c:1427
    #20 0xb07086 in get_func_tv /home/dope/sb/vim/src/userfunc.c:455
    #21 0xb1c74d in ex_call /home/dope/sb/vim/src/userfunc.c:3082
    #22 0x599fce in do_one_cmd /home/dope/sb/vim/src/ex_docmd.c:2908
    #23 0x58c5fc in do_cmdline /home/dope/sb/vim/src/ex_docmd.c:1071
    #24 0x584a8e in do_source /home/dope/sb/vim/src/ex_cmds2.c:4355
    #25 0x582f0d in cmd_source /home/dope/sb/vim/src/ex_cmds2.c:3968
    #26 0x582c35 in ex_source /home/dope/sb/vim/src/ex_cmds2.c:3943
    #27 0x599fce in do_one_cmd /home/dope/sb/vim/src/ex_docmd.c:2908
    #28 0x58c5fc in do_cmdline /home/dope/sb/vim/src/ex_docmd.c:1071
    #29 0x58aa8a in do_cmdline_cmd /home/dope/sb/vim/src/ex_docmd.c:671

SUMMARY: AddressSanitizer: heap-use-after-free
/home/dope/sb/vim/src/syntax.c:1454 in syn_stack_find_entry
Shadow bytes around the buggy address:
  0x0c4880047b10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4880047b20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4880047b30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4880047b40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4880047b50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4880047b60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
  0x0c4880047b70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4880047b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4880047b90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4880047ba0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c4880047bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9549==ABORTING

It's 100% reproducible on my Linux xubuntu-16.04 x86_64
machine with:

$ cd vim
$ CC=gcc-7 ./configure --with-features=huge --enable-gui=none
$ make
$ cd src/testdir
$ make test_matchadd_conceal.res

I found that the asan error happens when vim is built with gcc-4.9
or gcc-7.2, but it does not happen when vim is built with gcc-5.4,
clang-4.0 or clang-5.0. Strange. Does anybody else sees that too?

It also does not happen in Travis which uses asan with gcc-4.8.4.

Regards
Dominique

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Raspunde prin e-mail lui