Re: 8.1.0350's Test_exit_cb_wipes_buf() causes segfault when building on Launchpad

Bram Moolenaar Mon, 26 Nov 2018 12:20:02 -0800


James McCoy wrote:


[...]

> > Hmm, so it's some kind of memory corruption.  There are to many stack
> > frames to guess what is happening.  Can you run this with ASAN, so that
> > it should fail the moment the memory corruption happens?
> 
> Here's what ASAN detects:
> 
> =================================================================
> ==15879==ERROR: AddressSanitizer: heap-use-after-free on address 
> 0x624000060200 at pc 0x0000008e86db bp 0x7ffe0ac21860 sp 0x7ffe0ac21858
> READ of size 4 at 0x624000060200 thread T0
>     #0 0x8e86da in curs_rows src/vim-gtk3/move.c:695:11

So at this point the window pointer is invalid, because the buffer was
unloaded and the windows showing it were closed.  All that because
vpeekc() triggered parse_queued_messages().  Now why did that happen,
because previous fixes were making sure not to parse message when only
peeking...

>     #1 0x8e4745 in curs_columns src/vim-gtk3/move.c:967:2
>     #2 0x599568 in edit src/vim-gtk3/edit.c:501:5
>     #3 0x965f77 in invoke_edit src/vim-gtk3/normal.c:9238:9
>     #4 0x9676fd in n_opencmd src/vim-gtk3/normal.c:8524:6
>     #5 0x94c189 in nv_open src/vim-gtk3/normal.c:9599:2
>     #6 0x916bf2 in normal_cmd src/vim-gtk3/normal.c:1121:5
>     #7 0x713f64 in exec_normal src/vim-gtk3/ex_docmd.c:10509:6
>     #8 0x636e1c in f_feedkeys src/vim-gtk3/evalfunc.c:3648:3
>     #9 0x625746 in call_internal_func src/vim-gtk3/evalfunc.c:1084:5
>     #10 0xcd200a in call_func src/vim-gtk3/userfunc.c:1507:14
>     #11 0xcd08be in get_func_tv src/vim-gtk3/userfunc.c:455:8
>     #12 0xce66a3 in ex_call src/vim-gtk3/userfunc.c:3171:6
>     #13 0x6ee22d in do_one_cmd src/vim-gtk3/ex_docmd.c:2525:2
>     #14 0x6e0ccb in do_cmdline src/vim-gtk3/ex_docmd.c:1036:17
>     #15 0xcd611f in call_user_func src/vim-gtk3/userfunc.c:954:5
>     #16 0xcd1e80 in call_func src/vim-gtk3/userfunc.c:1488:7
>     #17 0xcd08be in get_func_tv src/vim-gtk3/userfunc.c:455:8
>     #18 0xce66a3 in ex_call src/vim-gtk3/userfunc.c:3171:6
>     #19 0x6ee22d in do_one_cmd src/vim-gtk3/ex_docmd.c:2525:2
>     #20 0x6e0ccb in do_cmdline src/vim-gtk3/ex_docmd.c:1036:17
>     #21 0x608626 in ex_execute src/vim-gtk3/eval.c:8183:6
>     #22 0x6ee22d in do_one_cmd src/vim-gtk3/ex_docmd.c:2525:2
>     #23 0x6e0ccb in do_cmdline src/vim-gtk3/ex_docmd.c:1036:17
>     #24 0xcd611f in call_user_func src/vim-gtk3/userfunc.c:954:5
>     #25 0xcd1e80 in call_func src/vim-gtk3/userfunc.c:1488:7
>     #26 0xcd08be in get_func_tv src/vim-gtk3/userfunc.c:455:8
>     #27 0xce66a3 in ex_call src/vim-gtk3/userfunc.c:3171:6
>     #28 0x6ee22d in do_one_cmd src/vim-gtk3/ex_docmd.c:2525:2
>     #29 0x6e0ccb in do_cmdline src/vim-gtk3/ex_docmd.c:1036:17
>     #30 0x6d5ab9 in do_source src/vim-gtk3/ex_cmds2.c:4615:5
>     #31 0x6d350e in cmd_source src/vim-gtk3/ex_cmds2.c:4229:14
>     #32 0x6d3b1c in ex_source src/vim-gtk3/ex_cmds2.c:4204:2
>     #33 0x6ee22d in do_one_cmd src/vim-gtk3/ex_docmd.c:2525:2
>     #34 0x6e0ccb in do_cmdline src/vim-gtk3/ex_docmd.c:1036:17
>     #35 0x6e4613 in do_cmdline_cmd src/vim-gtk3/ex_docmd.c:637:12
>     #36 0xeb0e18 in exe_commands src/vim-gtk3/main.c:2964:2
>     #37 0xeada6f in vim_main2 src/vim-gtk3/main.c:814:2
>     #38 0xea5621 in main src/vim-gtk3/main.c:441:12
>     #39 0x7f5aef7e9b16 in __libc_start_main 
> (/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
>     #40 0x465cd9 in _start (/<<PKGBUILDDIR>>/src/vim-gtk3/vim+0x465cd9)
> 
> 0x624000060200 is located 256 bytes inside of 7440-byte region 
> [0x624000060100,0x624000061e10)
> freed by thread T0 here:
>     #0 0x50d442 in __interceptor_free 
> (/<<PKGBUILDDIR>>/src/vim-gtk3/vim+0x50d442)
>     #1 0x8c156b in vim_free src/vim-gtk3/misc2.c:1833:2
>     #2 0xcffef6 in win_free src/vim-gtk3/window.c:4748:2
>     #3 0xd0ae65 in win_free_mem src/vim-gtk3/window.c:2600:5
>     #4 0xcf5440 in win_close src/vim-gtk3/window.c:2445:10
>     #5 0x54a5ff in do_buffer src/vim-gtk3/buffer.c:1436:10
>     #6 0x54e959 in do_bufdel src/vim-gtk3/buffer.c:1185:32
>     #7 0x71ead9 in ex_bunload src/vim-gtk3/ex_docmd.c:5621:19
>     #8 0x6ee22d in do_one_cmd src/vim-gtk3/ex_docmd.c:2525:2
>     #9 0x6e0ccb in do_cmdline src/vim-gtk3/ex_docmd.c:1036:17
>     #10 0x608626 in ex_execute src/vim-gtk3/eval.c:8183:6
>     #11 0x6ee22d in do_one_cmd src/vim-gtk3/ex_docmd.c:2525:2
>     #12 0x6e0ccb in do_cmdline src/vim-gtk3/ex_docmd.c:1036:17
>     #13 0xcd611f in call_user_func src/vim-gtk3/userfunc.c:954:5
>     #14 0xcd1e80 in call_func src/vim-gtk3/userfunc.c:1488:7
>     #15 0xe678df in job_cleanup src/vim-gtk3/channel.c:5311:2
>     #16 0xe69404 in job_check_ended src/vim-gtk3/channel.c:5530:2
>     #17 0x8d8c21 in parse_queued_messages src/vim-gtk3/misc2.c:6389:5
>     #18 0x9f8134 in mch_inchar src/vim-gtk3/os_unix.c:394:6
>     #19 0xc9e1e5 in ui_inchar src/vim-gtk3/ui.c:157:11

This is what triggers the problem: ui_inchar() changes the wait time
from zero to 10 msec.  Then in mch_inchar() it sees a non-zero wait time
and calls parse_queued_messages().

>     #20 0x7de299 in inchar src/vim-gtk3/getchar.c:3093:8
>     #21 0x7ef154 in vgetorpeek src/vim-gtk3/getchar.c:2875:7
>     #22 0x7e53db in vpeekc src/vim-gtk3/getchar.c:1869:12
>     #23 0x7f001a in char_avail src/vim-gtk3/getchar.c:1925:14
>     #24 0xacb296 in redrawing src/vim-gtk3/screen.c:10833:18
>     #25 0x8e8683 in curs_rows src/vim-gtk3/move.c:694:21
>     #26 0x8e4745 in curs_columns src/vim-gtk3/move.c:967:2
>     #27 0x599568 in edit src/vim-gtk3/edit.c:501:5
>     #28 0x965f77 in invoke_edit src/vim-gtk3/normal.c:9238:9
>     #29 0x9676fd in n_opencmd src/vim-gtk3/normal.c:8524:6

[...]

I can't recall why we changed the wait time to 10 msec.  Might not have
a good reason now.  So we could change:

        retval = mch_inchar(buf, maxlen, (wtime >= 0 && wtime < 10)
                                                ? 10L : wtime, tb_change_cnt);

to:

        retval = mch_inchar(buf, maxlen, wtime, tb_change_cnt);

Would that have any negative side effects?  All the tests are passing,
thus I guess it's OK.  At least it removes the unexpected delay.

I'll send out this patch, please verify it fixes the problem.


-- 
If an elephant is left tied to a parking meter, the parking fee has to be paid
just as it would for a vehicle.
                [real standing law in Florida, United States of America]

 /// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\  an exciting new programming language -- http://www.Zimbu.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Re: 8.1.0350's Test_exit_cb_wipes_buf() causes segfault when building on Launchpad

Raspunde prin e-mail lui