Dominique Pellé <[email protected]> wrote: > Hi > > I looked at this old item in todo.txt: > > === > Illegal memory access, requires ASAN to see. (Dominique Pelle, 2015 Jul 28) > === > > I can still reproduce it with the latest vim-8.0.703 > built with asan. I found this simpler way to reproduce it: > > $ vim -u NONE -c'set re=1' -c"call setline(1,'xxxxx')" -c"/\n\@<=" 2>log > Vim: Caught deadly signal ABRT > Vim: preserving files... > Vim: Finished. > Aborted (core dumped) > > And log contains: > > ================================================================= > ==8289==ERROR: AddressSanitizer: global-buffer-overflow on address > 0x000000a8cce4 at pc 0x00000069a57b bp 0x7ffe999d3480 sp > 0x7ffe999d3470 > READ of size 1 at 0x000000a8cce4 thread T0 > #0 0x69a57a in utf_head_off /home/pel/sb/vim/src/mbyte.c:3809 > #1 0x78817b in regmatch /home/pel/sb/vim/src/regexp.c:5592 > #2 0x78026b in regtry /home/pel/sb/vim/src/regexp.c:4076 > #3 0x77fe00 in bt_regexec_both /home/pel/sb/vim/src/regexp.c:3961 > #4 0x77f2d5 in bt_regexec_multi /home/pel/sb/vim/src/regexp.c:3771 > #5 0x7c0141 in vim_regexec_multi /home/pel/sb/vim/src/regexp.c:8360 > #6 0x801112 in searchit /home/pel/sb/vim/src/search.c:716 > #7 0x80410f in do_search /home/pel/sb/vim/src/search.c:1443 > #8 0x53e068 in get_address /home/pel/sb/vim/src/ex_docmd.c:4562 > #9 0x52ed12 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2158 > #10 0x528f6f in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1089 > #11 0x527694 in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:689 > #12 0x9f65e4 in exe_commands /home/pel/sb/vim/src/main.c:2945 > #13 0x9ef5e0 in vim_main2 /home/pel/sb/vim/src/main.c:803 > #14 0x9eeb68 in main /home/pel/sb/vim/src/main.c:419 > #15 0x7fe5bb73d82f in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) > #16 0x411ce8 in _start (/home/pel/sb/vim/src/vim+0x411ce8) > > 0x000000a8cce4 is located 60 bytes to the left of global variable > '*.LC1' defined in 'regexp.c' (0xa8cd20) of size 7 > '*.LC1' is ascii string 'latin1' > 0x000000a8cce4 is located 3 bytes to the right of global variable > '*.LC0' defined in 'regexp.c' (0xa8cce0) of size 1 > '*.LC0' is ascii string '' > SUMMARY: AddressSanitizer: global-buffer-overflow > /home/pel/sb/vim/src/mbyte.c:3809 in utf_head_off > Shadow bytes around the buggy address: > 0x000080149940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x000080149950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x000080149960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x000080149970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x000080149980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > =>0x000080149990: 00 00 00 00 00 00 00 00 00 00 00 00[01]f9 f9 f9 > 0x0000801499a0: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 04 f9 f9 > 0x0000801499b0: f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9 00 00 00 00 > 0x0000801499c0: 00 00 07 f9 f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 > 0x0000801499d0: 02 f9 f9 f9 f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 > 0x0000801499e0: 00 00 03 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > ==8289==ABORTING > > It crashes at regexp.c:5592: > > 5590 if (has_mbyte) > 5591 rp->rs_un.regsave.rs_u.pos.col -= > !!5592 (*mb_head_off)(regline, regline > 5593 + rp->rs_un.regsave.rs_u.pos.col - 1) + 1; > > I see that at line 5592: > - rp->rs_un.regsave.rs_u.pos.col is equal to 5 (i.e. number > of x in the line) > - regline is equal to an empty string "" which was set > by reg_getline() at line 3694 to a constant string "". > > 3685 static char_u * > 3686 reg_getline(linenr_T lnum) > 3687 { > 3688 /* when looking behind for a match/no-match lnum is negative. But > we > 3689 * can't go before line 1 */ > 3690 if (rex.reg_firstlnum + lnum < 1) > 3691 return NULL; > 3692 if (lnum > rex.reg_maxline) > 3693 /* Must have matched the "\n" in the last line. */ > !!3694 return (char_u *)""; > 3695 return ml_get_buf(rex.reg_buf, rex.reg_firstlnum + lnum, FALSE); > 3696 } > > So asan detects the overflow (access beyond global constant > string "" of line 3694). Note that only asan detects overflow > in globals (valgrind does not detect such bug). > > Not sure what's the clean way of fixing this.
Hi This bug no longer happens with the latest vim-8.1.177. Doing a git bissection, I see that the bug was fixed several months ago in vim-8.0.1517: === commit bc197195b097707d08fd44a476dbc374366504cb Author: Bram Moolenaar <[email protected]> Date: Tue Feb 13 16:35:06 2018 +0100 patch 8.0.1517: invalid memory acces with pattern using look-behind match Problem: Invalid memory acces with pattern using look-behind match. (Dominique Pelle) Solution: Get a pointer to the right line. === So we can now remove this item from runtime/doc/todo.txt as in attached patch: === Illegal memory access, requires ASAN to see. (Dominique Pelle, 2015 Jul 28) Still happens (2017 Jul 9) === Regards Dominique -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
diff --git a/runtime/doc/todo.txt b/runtime/doc/todo.txt index a39715799..8dba36825 100644 --- a/runtime/doc/todo.txt +++ b/runtime/doc/todo.txt @@ -406,9 +406,6 @@ Perhaps use a vimcontext / endvimcontext command block. After using :noautocmd CursorMoved may still trigger. (Andy Stewart, 2017 Sep 13, #2084). Set old position after the command. -Illegal memory access, requires ASAN to see. (Dominique Pelle, 2015 Jul 28) -Still happens (2017 Jul 9) - When bracketed paste is used, pasting at the ":append" prompt does not get the line breaks. (Ken Takata, 2017 Aug 22)
