Dominique wrote: > I configured Vim-8.0.1316 as follows and built with asan: > > $ CC=gcc-7 ./configure --with-features=huge \ > --enable-gui=gtk3 --enable-python3interp=yes \ > --enable-pythoninterp=yes > > I built with asan with these local changes: > > $ git diff > diff --git a/src/Makefile b/src/Makefile > index 09cf21e..d927a1f 100644 > --- a/src/Makefile > +++ b/src/Makefile > @@ -684,7 +684,7 @@ LINT_OPTIONS = -beprxzF > # address sanitizer or with the undefined sanitizer. Works with gcc and > # clang. May make Vim twice as slow. Errors reported on stderr. > # More at: https://code.google.com/p/address-sanitizer/ > -#SANITIZER_CFLAGS = -g -O0 -fsanitize=address -fno-omit-frame-pointer > +SANITIZER_CFLAGS = -g -O0 -fsanitize=address -fno-omit-frame-pointer > #SANITIZER_CFLAGS = -g -O0 -fsanitize=undefined -fno-omit-frame-pointer > SANITIZER_LIBS = $(SANITIZER_CFLAGS) > > @@ -693,12 +693,12 @@ SANITIZER_LIBS = $(SANITIZER_CFLAGS) > # Configuration is in the .ccmalloc or ~/.ccmalloc file. > # Doesn't work very well, since memory linked to from global variables > # (in libraries) is also marked as leaked memory. > -#LEAK_CFLAGS = -DEXITFREE > +LEAK_CFLAGS = -DEXITFREE > #LEAK_LIBS = -lccmalloc > > # Uncomment this line to have Vim call abort() when an internal error is > # detected. Useful when using a tool to find errors. > -#ABORT_CLFAGS = -DABORT_ON_INTERNAL_ERROR > +ABORT_CLFAGS = -DABORT_ON_INTERNAL_ERROR > > ##################################################### > ### Specific systems, check if yours is listed! ### {{{ > > > And asan finds a heap-use-after-free when running tests: > > VIMRUNTIME=../../runtime; export VIMRUNTIME; ../vim -f -u unix.vim > -U NONE --noplugin --not-a-term -S runtest.vim test_terminal.vim > ================================================================= > ==6221==ERROR: AddressSanitizer: heap-use-after-free on address > 0x624000317d38 at pc 0x0000008f6dff bp 0x7ffc8d176a70 sp > 0x7ffc8d176a60 > READ of size 8 at 0x624000317d38 thread T0 > #0 0x8f6dfe in f_term_wait /home/pel/sb/vim/src/terminal.c:3226 > #1 0x4ad826 in call_internal_func /home/pel/sb/vim/src/evalfunc.c:1012 > #2 0x91f7f2 in call_func /home/pel/sb/vim/src/userfunc.c:1446 > #3 0x91a682 in get_func_tv /home/pel/sb/vim/src/userfunc.c:455 > #4 0x92a009 in ex_call /home/pel/sb/vim/src/userfunc.c:3082 > #5 0x538356 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2908 > #6 0x52ce23 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1071 > #7 0x91cec3 in call_user_func /home/pel/sb/vim/src/userfunc.c:942 > #8 0x91f692 in call_func /home/pel/sb/vim/src/userfunc.c:1427 > #9 0x91a682 in get_func_tv /home/pel/sb/vim/src/userfunc.c:455 > #10 0x92a009 in ex_call /home/pel/sb/vim/src/userfunc.c:3082 > #11 0x538356 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2908 > #12 0x52ce23 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1071 > #13 0x4a4c5c in ex_execute /home/pel/sb/vim/src/eval.c:8413 > #14 0x538356 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2908 > #15 0x52ce23 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1071 > #16 0x91cec3 in call_user_func /home/pel/sb/vim/src/userfunc.c:942 > #17 0x91f692 in call_func /home/pel/sb/vim/src/userfunc.c:1427 > #18 0x91a682 in get_func_tv /home/pel/sb/vim/src/userfunc.c:455 > #19 0x92a009 in ex_call /home/pel/sb/vim/src/userfunc.c:3082 > #20 0x538356 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2908 > #21 0x52ce23 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1071 > #22 0x526b95 in do_source /home/pel/sb/vim/src/ex_cmds2.c:4378 > #23 0x5254d8 in cmd_source /home/pel/sb/vim/src/ex_cmds2.c:3991 > #24 0x5252b5 in ex_source /home/pel/sb/vim/src/ex_cmds2.c:3966 > #25 0x538356 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2908 > #26 0x52ce23 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1071 > #27 0x52b548 in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:671 > #28 0xa3e79e in exe_commands /home/pel/sb/vim/src/main.c:2948 > #29 0xa375ca in vim_main2 /home/pel/sb/vim/src/main.c:800 > #30 0xa36b94 in main /home/pel/sb/vim/src/main.c:429 > #31 0x7fa64f1e882f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #32 0x410078 in _start (/home/pel/sb/vim/src/vim+0x410078) > > 0x624000317d38 is located 7224 bytes inside of 7232-byte region > [0x624000316100,0x624000317d40) > freed by thread T0 here: > #0 0x7fa652c21588 in free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde588) > #1 0x677c0e in vim_free /home/pel/sb/vim/src/misc2.c:1801 > #2 0x416f06 in free_buffer /home/pel/sb/vim/src/buffer.c:883 > #3 0x41610a in close_buffer /home/pel/sb/vim/src/buffer.c:678 > #4 0x93b253 in win_close /home/pel/sb/vim/src/window.c:2384 > #5 0x418fd7 in do_buffer /home/pel/sb/vim/src/buffer.c:1451 > #6 0x418037 in do_bufdel /home/pel/sb/vim/src/buffer.c:1181 > #7 0x8f0180 in term_channel_closed /home/pel/sb/vim/src/terminal.c:2178 > #8 0xa1aedc in channel_close /home/pel/sb/vim/src/channel.c:2919 > #9 0xa1c0bf in channel_close_now /home/pel/sb/vim/src/channel.c:3245 > #10 0xa1f80a in channel_parse_messages /home/pel/sb/vim/src/channel.c:4191 > #11 0x6864e4 in parse_queued_messages /home/pel/sb/vim/src/misc2.c:6320 > #12 0x8f6dc8 in f_term_wait /home/pel/sb/vim/src/terminal.c:3229 > #13 0x4ad826 in call_internal_func /home/pel/sb/vim/src/evalfunc.c:1012 > #14 0x91f7f2 in call_func /home/pel/sb/vim/src/userfunc.c:1446 > #15 0x91a682 in get_func_tv /home/pel/sb/vim/src/userfunc.c:455 > #16 0x92a009 in ex_call /home/pel/sb/vim/src/userfunc.c:3082 > #17 0x538356 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2908 > #18 0x52ce23 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1071 > #19 0x91cec3 in call_user_func /home/pel/sb/vim/src/userfunc.c:942 > #20 0x91f692 in call_func /home/pel/sb/vim/src/userfunc.c:1427 > #21 0x91a682 in get_func_tv /home/pel/sb/vim/src/userfunc.c:455 > #22 0x92a009 in ex_call /home/pel/sb/vim/src/userfunc.c:3082 > #23 0x538356 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2908 > #24 0x52ce23 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1071 > #25 0x4a4c5c in ex_execute /home/pel/sb/vim/src/eval.c:8413 > #26 0x538356 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2908 > #27 0x52ce23 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1071 > #28 0x91cec3 in call_user_func /home/pel/sb/vim/src/userfunc.c:942 > #29 0x91f692 in call_func /home/pel/sb/vim/src/userfunc.c:1427 > > previously allocated by thread T0 here: > #0 0x7fa652c21920 in malloc > (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde920) > #1 0x675136 in lalloc /home/pel/sb/vim/src/misc2.c:954 > #2 0x675029 in alloc_clear /home/pel/sb/vim/src/misc2.c:876 > #3 0x41bc43 in buflist_new /home/pel/sb/vim/src/buffer.c:2001 > #4 0x4f9b33 in do_ecmd /home/pel/sb/vim/src/ex_cmds.c:3865 > #5 0x556ea6 in do_exedit /home/pel/sb/vim/src/ex_docmd.c:8637 > #6 0x554c1c in ex_splitview /home/pel/sb/vim/src/ex_docmd.c:8294 > #7 0x8e5435 in term_start /home/pel/sb/vim/src/terminal.c:357 > #8 0x8f691c in f_term_start /home/pel/sb/vim/src/terminal.c:3189 > #9 0x4ad826 in call_internal_func /home/pel/sb/vim/src/evalfunc.c:1012 > #10 0x91f7f2 in call_func /home/pel/sb/vim/src/userfunc.c:1446 > #11 0x91a682 in get_func_tv /home/pel/sb/vim/src/userfunc.c:455 > #12 0x491263 in eval7 /home/pel/sb/vim/src/eval.c:4395 > #13 0x48fbee in eval6 /home/pel/sb/vim/src/eval.c:4032 > #14 0x48efbd in eval5 /home/pel/sb/vim/src/eval.c:3848 > #15 0x48d45b in eval4 /home/pel/sb/vim/src/eval.c:3547 > #16 0x48cfbe in eval3 /home/pel/sb/vim/src/eval.c:3464 > #17 0x48cb22 in eval2 /home/pel/sb/vim/src/eval.c:3396 > #18 0x48c5b3 in eval1 /home/pel/sb/vim/src/eval.c:3324 > #19 0x48c35d in eval0 /home/pel/sb/vim/src/eval.c:3284 > #20 0x48146e in ex_let /home/pel/sb/vim/src/eval.c:1298 > #21 0x538356 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2908 > #22 0x52ce23 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1071 > #23 0x91cec3 in call_user_func /home/pel/sb/vim/src/userfunc.c:942 > #24 0x91f692 in call_func /home/pel/sb/vim/src/userfunc.c:1427 > #25 0x91a682 in get_func_tv /home/pel/sb/vim/src/userfunc.c:455 > #26 0x491263 in eval7 /home/pel/sb/vim/src/eval.c:4395 > #27 0x48fbee in eval6 /home/pel/sb/vim/src/eval.c:4032 > #28 0x48efbd in eval5 /home/pel/sb/vim/src/eval.c:3848 > #29 0x48d45b in eval4 /home/pel/sb/vim/src/eval.c:3547 > > SUMMARY: AddressSanitizer: heap-use-after-free > /home/pel/sb/vim/src/terminal.c:3226 in f_term_wait > Shadow bytes around the buggy address: > 0x0c488005af50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c488005af60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c488005af70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c488005af80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c488005af90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > =>0x0c488005afa0: fd fd fd fd fd fd fd[fd]fa fa fa fa fa fa fa fa > 0x0c488005afb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c488005afc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c488005afd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c488005afe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c488005aff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > ==6221==ABORTING > Vim: Caught deadly signal ABRT > Vim: Finished. > Aborted (core dumped) > > Code where error is detected (terminal.c:3226) > > !!3226 while (buf->b_term != NULL && !buf->b_term->tl_channel_closed) > 3227 { > 3228 mch_check_messages(); > !!3229 parse_queued_messages(); > 3230 ui_delay(10L, FALSE); > 3231 } > > Memory was freed when calling parse_queued_message() > at line 3229 and then free memory is used at line 3226 > in terminal.c. > > I ran "make test" 3 times and bug happened 3 times > i a row so it looks reproducible for me. > > I suspect that it's the same bug that happened > in travis there (but the stack did not have symbols): > > https://travis-ci.org/vim/vim/jobs/302986849
I cannot reproduce the problem with valgrind, there probably is a race condition and valgrind is a lot slower. I'll add a check that the buffer still exists. There are other ways, such as postponing wiping out the buffer, but then there can still be an autocommand doing something similar. -- The goal of science is to build better mousetraps. The goal of nature is to build better mice. /// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org /// -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
