Bram Moolenaar <[email protected]> wrote: > Dominique wrote: > >> I configured Vim-8.0.1316 as follows and built with asan: >> >> $ CC=gcc-7 ./configure --with-features=huge \ >> --enable-gui=gtk3 --enable-python3interp=yes \ >> --enable-pythoninterp=yes >> >> I built with asan with these local changes: >> >> $ git diff >> diff --git a/src/Makefile b/src/Makefile >> index 09cf21e..d927a1f 100644 >> --- a/src/Makefile >> +++ b/src/Makefile >> @@ -684,7 +684,7 @@ LINT_OPTIONS = -beprxzF >> # address sanitizer or with the undefined sanitizer. Works with gcc and >> # clang. May make Vim twice as slow. Errors reported on stderr. >> # More at: https://code.google.com/p/address-sanitizer/ >> -#SANITIZER_CFLAGS = -g -O0 -fsanitize=address -fno-omit-frame-pointer >> +SANITIZER_CFLAGS = -g -O0 -fsanitize=address -fno-omit-frame-pointer >> #SANITIZER_CFLAGS = -g -O0 -fsanitize=undefined -fno-omit-frame-pointer >> SANITIZER_LIBS = $(SANITIZER_CFLAGS) >> >> @@ -693,12 +693,12 @@ SANITIZER_LIBS = $(SANITIZER_CFLAGS) >> # Configuration is in the .ccmalloc or ~/.ccmalloc file. >> # Doesn't work very well, since memory linked to from global variables >> # (in libraries) is also marked as leaked memory. >> -#LEAK_CFLAGS = -DEXITFREE >> +LEAK_CFLAGS = -DEXITFREE >> #LEAK_LIBS = -lccmalloc >> >> # Uncomment this line to have Vim call abort() when an internal error is >> # detected. Useful when using a tool to find errors. >> -#ABORT_CLFAGS = -DABORT_ON_INTERNAL_ERROR >> +ABORT_CLFAGS = -DABORT_ON_INTERNAL_ERROR >> >> ##################################################### >> ### Specific systems, check if yours is listed! ### {{{ >> >> >> And asan finds a heap-use-after-free when running tests: >> >> VIMRUNTIME=../../runtime; export VIMRUNTIME; ../vim -f -u unix.vim >> -U NONE --noplugin --not-a-term -S runtest.vim test_terminal.vim >> ================================================================= >> ==6221==ERROR: AddressSanitizer: heap-use-after-free on address >> 0x624000317d38 at pc 0x0000008f6dff bp 0x7ffc8d176a70 sp >> 0x7ffc8d176a60 >> READ of size 8 at 0x624000317d38 thread T0 >> #0 0x8f6dfe in f_term_wait /home/pel/sb/vim/src/terminal.c:3226 >> #1 0x4ad826 in call_internal_func /home/pel/sb/vim/src/evalfunc.c:1012 >> #2 0x91f7f2 in call_func /home/pel/sb/vim/src/userfunc.c:1446 >> #3 0x91a682 in get_func_tv /home/pel/sb/vim/src/userfunc.c:455 >> #4 0x92a009 in ex_call /home/pel/sb/vim/src/userfunc.c:3082 >> #5 0x538356 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2908 >> #6 0x52ce23 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1071 >> #7 0x91cec3 in call_user_func /home/pel/sb/vim/src/userfunc.c:942 >> #8 0x91f692 in call_func /home/pel/sb/vim/src/userfunc.c:1427 >> #9 0x91a682 in get_func_tv /home/pel/sb/vim/src/userfunc.c:455 >> #10 0x92a009 in ex_call /home/pel/sb/vim/src/userfunc.c:3082 >> #11 0x538356 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2908 >> #12 0x52ce23 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1071 >> #13 0x4a4c5c in ex_execute /home/pel/sb/vim/src/eval.c:8413 >> #14 0x538356 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2908 >> #15 0x52ce23 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1071 >> #16 0x91cec3 in call_user_func /home/pel/sb/vim/src/userfunc.c:942 >> #17 0x91f692 in call_func /home/pel/sb/vim/src/userfunc.c:1427 >> #18 0x91a682 in get_func_tv /home/pel/sb/vim/src/userfunc.c:455 >> #19 0x92a009 in ex_call /home/pel/sb/vim/src/userfunc.c:3082 >> #20 0x538356 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2908 >> #21 0x52ce23 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1071 >> #22 0x526b95 in do_source /home/pel/sb/vim/src/ex_cmds2.c:4378 >> #23 0x5254d8 in cmd_source /home/pel/sb/vim/src/ex_cmds2.c:3991 >> #24 0x5252b5 in ex_source /home/pel/sb/vim/src/ex_cmds2.c:3966 >> #25 0x538356 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2908 >> #26 0x52ce23 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1071 >> #27 0x52b548 in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:671 >> #28 0xa3e79e in exe_commands /home/pel/sb/vim/src/main.c:2948 >> #29 0xa375ca in vim_main2 /home/pel/sb/vim/src/main.c:800 >> #30 0xa36b94 in main /home/pel/sb/vim/src/main.c:429 >> #31 0x7fa64f1e882f in __libc_start_main >> (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) >> #32 0x410078 in _start (/home/pel/sb/vim/src/vim+0x410078) >> >> 0x624000317d38 is located 7224 bytes inside of 7232-byte region >> [0x624000316100,0x624000317d40) >> freed by thread T0 here: >> #0 0x7fa652c21588 in free >> (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde588) >> #1 0x677c0e in vim_free /home/pel/sb/vim/src/misc2.c:1801 >> #2 0x416f06 in free_buffer /home/pel/sb/vim/src/buffer.c:883 >> #3 0x41610a in close_buffer /home/pel/sb/vim/src/buffer.c:678 >> #4 0x93b253 in win_close /home/pel/sb/vim/src/window.c:2384 >> #5 0x418fd7 in do_buffer /home/pel/sb/vim/src/buffer.c:1451 >> #6 0x418037 in do_bufdel /home/pel/sb/vim/src/buffer.c:1181 >> #7 0x8f0180 in term_channel_closed /home/pel/sb/vim/src/terminal.c:2178 >> #8 0xa1aedc in channel_close /home/pel/sb/vim/src/channel.c:2919 >> #9 0xa1c0bf in channel_close_now /home/pel/sb/vim/src/channel.c:3245 >> #10 0xa1f80a in channel_parse_messages >> /home/pel/sb/vim/src/channel.c:4191 >> #11 0x6864e4 in parse_queued_messages /home/pel/sb/vim/src/misc2.c:6320 >> #12 0x8f6dc8 in f_term_wait /home/pel/sb/vim/src/terminal.c:3229 >> #13 0x4ad826 in call_internal_func /home/pel/sb/vim/src/evalfunc.c:1012 >> #14 0x91f7f2 in call_func /home/pel/sb/vim/src/userfunc.c:1446 >> #15 0x91a682 in get_func_tv /home/pel/sb/vim/src/userfunc.c:455 >> #16 0x92a009 in ex_call /home/pel/sb/vim/src/userfunc.c:3082 >> #17 0x538356 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2908 >> #18 0x52ce23 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1071 >> #19 0x91cec3 in call_user_func /home/pel/sb/vim/src/userfunc.c:942 >> #20 0x91f692 in call_func /home/pel/sb/vim/src/userfunc.c:1427 >> #21 0x91a682 in get_func_tv /home/pel/sb/vim/src/userfunc.c:455 >> #22 0x92a009 in ex_call /home/pel/sb/vim/src/userfunc.c:3082 >> #23 0x538356 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2908 >> #24 0x52ce23 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1071 >> #25 0x4a4c5c in ex_execute /home/pel/sb/vim/src/eval.c:8413 >> #26 0x538356 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2908 >> #27 0x52ce23 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1071 >> #28 0x91cec3 in call_user_func /home/pel/sb/vim/src/userfunc.c:942 >> #29 0x91f692 in call_func /home/pel/sb/vim/src/userfunc.c:1427 >> >> previously allocated by thread T0 here: >> #0 0x7fa652c21920 in malloc >> (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde920) >> #1 0x675136 in lalloc /home/pel/sb/vim/src/misc2.c:954 >> #2 0x675029 in alloc_clear /home/pel/sb/vim/src/misc2.c:876 >> #3 0x41bc43 in buflist_new /home/pel/sb/vim/src/buffer.c:2001 >> #4 0x4f9b33 in do_ecmd /home/pel/sb/vim/src/ex_cmds.c:3865 >> #5 0x556ea6 in do_exedit /home/pel/sb/vim/src/ex_docmd.c:8637 >> #6 0x554c1c in ex_splitview /home/pel/sb/vim/src/ex_docmd.c:8294 >> #7 0x8e5435 in term_start /home/pel/sb/vim/src/terminal.c:357 >> #8 0x8f691c in f_term_start /home/pel/sb/vim/src/terminal.c:3189 >> #9 0x4ad826 in call_internal_func /home/pel/sb/vim/src/evalfunc.c:1012 >> #10 0x91f7f2 in call_func /home/pel/sb/vim/src/userfunc.c:1446 >> #11 0x91a682 in get_func_tv /home/pel/sb/vim/src/userfunc.c:455 >> #12 0x491263 in eval7 /home/pel/sb/vim/src/eval.c:4395 >> #13 0x48fbee in eval6 /home/pel/sb/vim/src/eval.c:4032 >> #14 0x48efbd in eval5 /home/pel/sb/vim/src/eval.c:3848 >> #15 0x48d45b in eval4 /home/pel/sb/vim/src/eval.c:3547 >> #16 0x48cfbe in eval3 /home/pel/sb/vim/src/eval.c:3464 >> #17 0x48cb22 in eval2 /home/pel/sb/vim/src/eval.c:3396 >> #18 0x48c5b3 in eval1 /home/pel/sb/vim/src/eval.c:3324 >> #19 0x48c35d in eval0 /home/pel/sb/vim/src/eval.c:3284 >> #20 0x48146e in ex_let /home/pel/sb/vim/src/eval.c:1298 >> #21 0x538356 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2908 >> #22 0x52ce23 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1071 >> #23 0x91cec3 in call_user_func /home/pel/sb/vim/src/userfunc.c:942 >> #24 0x91f692 in call_func /home/pel/sb/vim/src/userfunc.c:1427 >> #25 0x91a682 in get_func_tv /home/pel/sb/vim/src/userfunc.c:455 >> #26 0x491263 in eval7 /home/pel/sb/vim/src/eval.c:4395 >> #27 0x48fbee in eval6 /home/pel/sb/vim/src/eval.c:4032 >> #28 0x48efbd in eval5 /home/pel/sb/vim/src/eval.c:3848 >> #29 0x48d45b in eval4 /home/pel/sb/vim/src/eval.c:3547 >> >> SUMMARY: AddressSanitizer: heap-use-after-free >> /home/pel/sb/vim/src/terminal.c:3226 in f_term_wait >> Shadow bytes around the buggy address: >> 0x0c488005af50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd >> 0x0c488005af60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd >> 0x0c488005af70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd >> 0x0c488005af80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd >> 0x0c488005af90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd >> =>0x0c488005afa0: fd fd fd fd fd fd fd[fd]fa fa fa fa fa fa fa fa >> 0x0c488005afb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa >> 0x0c488005afc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa >> 0x0c488005afd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa >> 0x0c488005afe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa >> 0x0c488005aff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa >> Shadow byte legend (one shadow byte represents 8 application bytes): >> Addressable: 00 >> Partially addressable: 01 02 03 04 05 06 07 >> Heap left redzone: fa >> Freed heap region: fd >> Stack left redzone: f1 >> Stack mid redzone: f2 >> Stack right redzone: f3 >> Stack after return: f5 >> Stack use after scope: f8 >> Global redzone: f9 >> Global init order: f6 >> Poisoned by user: f7 >> Container overflow: fc >> Array cookie: ac >> Intra object redzone: bb >> ASan internal: fe >> Left alloca redzone: ca >> Right alloca redzone: cb >> ==6221==ABORTING >> Vim: Caught deadly signal ABRT >> Vim: Finished. >> Aborted (core dumped) >> >> Code where error is detected (terminal.c:3226) >> >> !!3226 while (buf->b_term != NULL && !buf->b_term->tl_channel_closed) >> 3227 { >> 3228 mch_check_messages(); >> !!3229 parse_queued_messages(); >> 3230 ui_delay(10L, FALSE); >> 3231 } >> >> Memory was freed when calling parse_queued_message() >> at line 3229 and then free memory is used at line 3226 >> in terminal.c. >> >> I ran "make test" 3 times and bug happened 3 times >> i a row so it looks reproducible for me. >> >> I suspect that it's the same bug that happened >> in travis there (but the stack did not have symbols): >> >> https://travis-ci.org/vim/vim/jobs/302986849 > > I cannot reproduce the problem with valgrind, there probably is a race > condition and valgrind is a lot slower. > > I'll add a check that the buffer still exists. There are other ways, > such as postponing wiping out the buffer, but then there can still be an > autocommand doing something similar.
Thank. Vim-8.0.1317 appears to fix it. I ran the test several times without error. Going back to Vim-8.0.1316 I could reproduce it with gcc-7 + asan but I could not reproduce it with clang-5.0 + asan or with valgrind. It was perhaps a race condition indeed. Thanks Dominique -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
