Thursday, January 21, 2010

Re: vim reproducible crash, with backtrace report

pansz wrote:

> The related things:
>
> About my system:
> Linux pansz-pc 2.6.24-26-generic #1 SMP Tue Dec 1 18:37:31 UTC 2009 i686
> GNU/Linux Ubuntu 8.04.3 LTS
>
> About vim:
>
> VIM - Vi IMproved 7.2 (2008 Aug 9, compiled Jan 21 2010 14:23:52)
> Included patches: 1-327
> Compiled by poet@pansz-pc
> Big version with GTK2 GUI.
> Compilation: gcc -c -I. -Iproto -DHAVE_CONFIG_H -DFEAT_GUI_GTK
> -I/usr/include/gtk-2.0 -I/usr/lib/gtk-2.0/include -I/usr/include/
> atk-1.0 -I/usr/include/cairo -I/usr/include/pango-1.0
> -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/freetype
> 2 -I/usr/include/libpng12 -I/usr/include/pixman-1     -O2 -g -march=native
> -mfpmath=sse -DNDEBUG
> Linking: gcc   -L/usr/local/lib -o vim   -lgtk-x11-2.0 -lgdk-x11-2.0
> -latk-1.0 -lgdk_pixbuf-2.0 -lpangocairo-1.0 -lpango-1.0 -lca
> iro -lgobject-2.0 -lgmodule-2.0 -lglib-2.0   -lXt -lm -lncurses -lselinux
> -lacl -lgpm
>
> About myvimrc:
> set nocompatible
> set encoding=utf-8
> set fileencodings=ucs-bom,utf-8,euc-cn,cp936,gb18030,latin1
> set noloadplugins
> runtime plugin/vimim.vim
>
> About the plugin:
> http://vimim.googlecode.com/svn/trunk/plugin/vimim.vim
>
> The operation:
> vim -u myvimrc
> press i to enter insert mode
> press <Ctrl-\> and hold it for several seconds. (depend on your pc, may
> crash within 3 seconds to 60 seconds)
> vim will now caught SIGSEGV and core dumped.
>
> Here is the backtrace:
>
> (gdb) bt
> #0  0xb7f33410 in __kernel_vsyscall ()
> #1  0xb775b4b6 in kill () from /lib/tls/i686/cmov/libc.so.6
> #2  0x0812b2ca in may_core_dump () at os_unix.c:3101
> #3  0x0812d0e5 in mch_exit (r=1) at os_unix.c:3066
> #4  0x080f0460 in preserve_exit () at misc1.c:8392
> #5  <signal handler called>
> #6  0xb77a348d in memmove () from /lib/tls/i686/cmov/libc.so.6
> #7  0x081846e8 in set_input_buf (p=0x82524c8 "\004") at ui.c:1592
> #8  0x080c7209 in vgetorpeek (advance=1) at getchar.c:2454
> #9  0x080c7f36 in vgetc () at getchar.c:1559
> #10 0x080c844a in safe_vgetc () at getchar.c:1764
> #11 0x0806b5d6 in edit (cmdchar=73, startln=0, count=0) at edit.c:717
> #12 0x08113023 in normal_cmd (oap=0xbfde8cfc, toplevel=1) at normal.c:1367
> #13 0x080d6fd6 in main_loop (cmdwin=0, noexmode=0) at main.c:1211
> #14 0x080da5ce in main (argc=Cannot access memory at address 0x1
> ) at main.c:955


Hi

I can reproduce the bug with Vim-7.2.344 on Linux
following your indications. Pressing <C-\> just once
is enough to detect a bug using Valgrind memory
checker (write to freed memory) even if it may not
cause a crash immediately:

==8346== Invalid write of size 1
==8346== at 0x80824D6: call_func (eval.c:8203)
==8346== by 0x8085E83: get_func_tv (eval.c:7971)
==8346== by 0x8084752: eval7 (eval.c:5019)
==8346== by 0x80849E3: eval6 (eval.c:4686)
==8346== by 0x8084C2B: eval5 (eval.c:4502)
==8346== by 0x8085009: eval4 (eval.c:4197)
==8346== by 0x808597B: eval3 (eval.c:4109)
==8346== by 0x8085ABB: eval1 (eval.c:4038)
==8346== by 0x8086CAC: eval0 (eval.c:3920)
==8346== by 0x808708B: eval_to_string (eval.c:1302)
==8346== by 0x80CCC21: eval_map_expr (getchar.c:4458)
==8346== by 0x80CFA0E: vgetorpeek (getchar.c:2449)
==8346== by 0x80D058D: vgetc (getchar.c:1559)
==8346== by 0x80D0A9A: safe_vgetc (getchar.c:1764)
==8346== by 0x806D5C4: edit (edit.c:717)
==8346== by 0x811C083: invoke_edit (normal.c:8909)
==8346== by 0x811DC01: nv_open (normal.c:8223)
==8346== by 0x8123084: normal_cmd (normal.c:1188)
==8346== by 0x80E28E6: main_loop (main.c:1211)
==8346== by 0x80E5E21: main (main.c:955)
==8346== Address 0x503d8ce is 22 bytes inside a block of size 25 free'd
==8346== at 0x4024B82: free (vg_replace_malloc.c:366)
==8346== by 0x80D255A: do_map (getchar.c:3519)
==8346== by 0x80A63D9: do_exmap (ex_docmd.c:8056)
==8346== by 0x80AB2CD: do_one_cmd (ex_docmd.c:2627)
==8346== by 0x80A9727: do_cmdline (ex_docmd.c:1096)
==8346== by 0x8081B4C: call_user_func (eval.c:21320)
==8346== by 0x80823BC: call_func (eval.c:8125)
==8346== by 0x8085E83: get_func_tv (eval.c:7971)
==8346== by 0x808B460: ex_call (eval.c:3343)
==8346== by 0x80AB2CD: do_one_cmd (ex_docmd.c:2627)
==8346== by 0x80A9727: do_cmdline (ex_docmd.c:1096)
==8346== by 0x8081B4C: call_user_func (eval.c:21320)
==8346== by 0x80823BC: call_func (eval.c:8125)
==8346== by 0x8085E83: get_func_tv (eval.c:7971)
==8346== by 0x808B460: ex_call (eval.c:3343)
==8346== by 0x80AB2CD: do_one_cmd (ex_docmd.c:2627)
==8346== by 0x80A9727: do_cmdline (ex_docmd.c:1096)
==8346== by 0x8081B4C: call_user_func (eval.c:21320)
==8346== by 0x80823BC: call_func (eval.c:8125)
==8346== by 0x8085E83: get_func_tv (eval.c:7971)
==8346== by 0x808B460: ex_call (eval.c:3343)
==8346== by 0x80AB2CD: do_one_cmd (ex_docmd.c:2627)
==8346== by 0x80A9727: do_cmdline (ex_docmd.c:1096)
==8346== by 0x8081B4C: call_user_func (eval.c:21320)
==8346== by 0x80823BC: call_func (eval.c:8125)
==8346== by 0x8085E83: get_func_tv (eval.c:7971)
==8346== by 0x808B460: ex_call (eval.c:3343)
==8346== by 0x80AB2CD: do_one_cmd (ex_docmd.c:2627)
==8346== by 0x80A9727: do_cmdline (ex_docmd.c:1096)
==8346== by 0x8081B4C: call_user_func (eval.c:21320)
==8346== by 0x80823BC: call_func (eval.c:8125)
==8346== by 0x8085E83: get_func_tv (eval.c:7971)
==8346== by 0x8084752: eval7 (eval.c:5019)
==8346== by 0x80849E3: eval6 (eval.c:4686)
==8346== by 0x8084C2B: eval5 (eval.c:4502)
==8346== by 0x8085009: eval4 (eval.c:4197)
==8346== by 0x808597B: eval3 (eval.c:4109)
==8346== by 0x8085ABB: eval1 (eval.c:4038)
==8346== by 0x8086CAC: eval0 (eval.c:3920)
==8346== by 0x808708B: eval_to_string (eval.c:1302)
(several other error after that)

eval.c:

8125 call_user_func(fp, argcount, argvars, rettv,
8126 firstline, lastline,
8127 (fp->uf_flags & FC_DICT) ? selfdict : NULL);
....
8203 name[len] = cc; <------- Write to freed memory

It's still unclear to me how to fix it though.

Cheers
-- Dominique

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)