Hi,
I have crated a PR (#6041) to add new tests for insert mode completion.
This is currently failing in the Travis/CI ASAN build because of
a heap buffer overflow with the following test:
func Test()
func! CompleteFunc(findstart, base)
if a:findstart == 1
return col('.') - 1
endif
wincmd p
return ['a', 'b']
endfunc
set completefunc=CompleteFunc
new
call assert_fails('exe "normal a\<C-X>\<C-U>"', 'E839:')
close!
endfunc
call Test()
The address sanitizer report is below.
- Yegappan
======================================================
==95026==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000023372 at pc 0x000107438948 bp 0x7ffee91be5f0 sp 0x7ffee91bddb0
READ of size 1 at 0x602000023372 thread T0
#0 0x107438947 in wrap_strlen
(libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x17947)
#1 0x106a6a11d in ins_bytes change.c:926
#2 0x106c053d3 in ins_compl_insert insexpand.c:3119
#3 0x106c05b69 in ins_compl_next insexpand.c:3306
#4 0x106c073e7 in ins_complete insexpand.c:3954
#5 0x106ad969a in edit edit.c:1252
#6 0x106c9c515 in invoke_edit normal.c:7080
#7 0x106c7d77d in normal_cmd normal.c:1071
#8 0x106b74eac in exec_normal ex_docmd.c
#9 0x106b74974 in ex_normal ex_docmd.c:7722
#10 0x106b640d2 in do_one_cmd ex_docmd.c:2513
#11 0x106b5d96a in do_cmdline ex_docmd.c:978
#12 0x106b04bc8 in ex_execute eval.c:6253
#13 0x106b640d2 in do_one_cmd ex_docmd.c:2513
#14 0x106b5d96a in do_cmdline ex_docmd.c:978
#15 0x106e4c932 in f_assert_fails testing.c:436
#16 0x106b0ce94 in call_internal_func evalfunc.c:1170
#17 0x106e7fff8 in call_func userfunc.c:1973
#18 0x106e7f6d9 in get_func_tv userfunc.c:595
#19 0x106e8e6c8 in ex_call userfunc.c:3729
#20 0x106b640d2 in do_one_cmd ex_docmd.c:2513
#21 0x106b5d96a in do_cmdline ex_docmd.c:978
#22 0x106e8248f in call_user_func userfunc.c:1366
#23 0x106e80da9 in call_user_func_check userfunc.c:1507
#24 0x106e80164 in call_func userfunc.c:1955
#25 0x106e7f6d9 in get_func_tv userfunc.c:595
#26 0x106e8e6c8 in ex_call userfunc.c:3729
#27 0x106b640d2 in do_one_cmd ex_docmd.c:2513
#28 0x106b5d96a in do_cmdline ex_docmd.c:978
#29 0x106c8d39d in nv_colon normal.c:3323
#30 0x106c7d77d in normal_cmd normal.c:1071
#31 0x106f4e647 in main_loop main.c
#32 0x106f4c191 in vim_main2 main.c:899
#33 0x106f4874e in main main.c:438
#34 0x7fff674227fc in start (libdyld.dylib:x86_64+0x1a7fc)
0x602000023372 is located 1 bytes to the right of 1-byte region
[0x602000023370,0x602000023371)
allocated by thread T0 here:
#0 0x107466abd in wrap_malloc
(libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x45abd)
#1 0x106c57707 in lalloc misc2.c:925
#2 0x106c5825d in vim_strnsave misc2.c:1294
#3 0x106c00bae in ins_compl_add insexpand.c:620
#4 0x106c072d5 in ins_complete insexpand.c:3928
#5 0x106ad969a in edit edit.c:1252
#6 0x106c9c515 in invoke_edit normal.c:7080
#7 0x106c7d77d in normal_cmd normal.c:1071
#8 0x106b74eac in exec_normal ex_docmd.c
#9 0x106b74974 in ex_normal ex_docmd.c:7722
#10 0x106b640d2 in do_one_cmd ex_docmd.c:2513
#11 0x106b5d96a in do_cmdline ex_docmd.c:978
#12 0x106b04bc8 in ex_execute eval.c:6253
#13 0x106b640d2 in do_one_cmd ex_docmd.c:2513
#14 0x106b5d96a in do_cmdline ex_docmd.c:978
#15 0x106e4c932 in f_assert_fails testing.c:436
#16 0x106b0ce94 in call_internal_func evalfunc.c:1170
#17 0x106e7fff8 in call_func userfunc.c:1973
#18 0x106e7f6d9 in get_func_tv userfunc.c:595
#19 0x106e8e6c8 in ex_call userfunc.c:3729
#20 0x106b640d2 in do_one_cmd ex_docmd.c:2513
#21 0x106b5d96a in do_cmdline ex_docmd.c:978
#22 0x106e8248f in call_user_func userfunc.c:1366
#23 0x106e80da9 in call_user_func_check userfunc.c:1507
#24 0x106e80164 in call_func userfunc.c:1955
#25 0x106e7f6d9 in get_func_tv userfunc.c:595
#26 0x106e8e6c8 in ex_call userfunc.c:3729
#27 0x106b640d2 in do_one_cmd ex_docmd.c:2513
#28 0x106b5d96a in do_cmdline ex_docmd.c:978
#29 0x106c8d39d in nv_colon normal.c:3323
SUMMARY: AddressSanitizer: heap-buffer-overflow
(libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x17947) in wrap_strlen
Shadow bytes around the buggy address:
0x1c0400004610: fa fa 07 fa fa fa 02 fa fa fa 00 03 fa fa 00 fa
0x1c0400004620: fa fa 05 fa fa fa 01 fa fa fa 00 05 fa fa 06 fa
0x1c0400004630: fa fa 00 05 fa fa 00 03 fa fa 01 fa fa fa 02 fa
0x1c0400004640: fa fa fd fa fa fa 01 fa fa fa 00 00 fa fa 01 fa
0x1c0400004650: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
=>0x1c0400004660: fa fa fd fa fa fa 01 fa fa fa 01 fa fa fa[01]fa
0x1c0400004670: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
0x1c0400004680: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
0x1c0400004690: fa fa fd fd fa fa fa fa fa fa fa fa fa fa fa fa
0x1c04000046a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c04000046b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==95026==ABORTING
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/vim_dev/CAAW7x7kS8DC7mznjtH22SQkstwAa0BM63QQCEX%2BY0vZ1AMiQkw%40mail.gmail.com.
