Vim crashes when adding/removing virtual text
13 views
Skip to first unread message
Yegappan Lakshmanan
Apr 16, 2023, 3:57:08 PM4/16/23
to Vimdev
Hi,
If you source the attached script and press <F3> multiple times
(atleast 40 times)
followed by <F4> multiple times, you will see that Vim crashes. Also
this script
illustrates the problem with virtual text not rendering properly when
a line starts
with a tab character.
The ASAN traceback is below:
=================================================================
==67409==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6080000153f3 at pc 0x7f25e1e39c23 bp 0x7ffcd0a71fd0 sp
0x7ffcd0a71778
WRITE of size 88 at 0x6080000153f3 thread T0
#0 0x7f25e1e39c22 in __interceptor_memset
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:799
#1 0x55c51d913be1 in text_prop_position
/home/yega/Documents/vim/vimlsp/vim/src/drawline.c:723
#2 0x55c51d926ed2 in win_line
/home/yega/Documents/vim/vimlsp/vim/src/drawline.c:2124
#3 0x55c51d961278 in win_update
/home/yega/Documents/vim/vimlsp/vim/src/drawscreen.c:2484
#4 0x55c51d941534 in update_screen
/home/yega/Documents/vim/vimlsp/vim/src/drawscreen.c:324
#5 0x55c51e5e9298 in main_loop
/home/yega/Documents/vim/vimlsp/vim/src/main.c:1427
#6 0x55c51e5e79e0 in vim_main2
/home/yega/Documents/vim/vimlsp/vim/src/main.c:887
#7 0x55c51e5e6e23 in main /home/yega/Documents/vim/vimlsp/vim/src/main.c:433
#8 0x7f25e1029d8f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#9 0x7f25e1029e3f in __libc_start_main_impl ../csu/libc-start.c:392
#10 0x55c51d7bb784 in _start
(/home/yega/Documents/vim/vimlsp/vim/src/vim+0x129f784)
0x6080000153f3 is located 0 bytes to the right of 83-byte region
[0x6080000153a0,0x6080000153f3)
allocated by thread T0 here:
#0 0x7f25e1eb4867 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55c51d7bbc3c in lalloc
/home/yega/Documents/vim/vimlsp/vim/src/alloc.c:246
#2 0x55c51d7bb9fe in alloc
/home/yega/Documents/vim/vimlsp/vim/src/alloc.c:151
#3 0x55c51d913aa6 in text_prop_position
/home/yega/Documents/vim/vimlsp/vim/src/drawline.c:712
#4 0x55c51d926ed2 in win_line
/home/yega/Documents/vim/vimlsp/vim/src/drawline.c:2124
#5 0x55c51d961278 in win_update
/home/yega/Documents/vim/vimlsp/vim/src/drawscreen.c:2484
#6 0x55c51d941534 in update_screen
/home/yega/Documents/vim/vimlsp/vim/src/drawscreen.c:324
#7 0x55c51e5e9298 in main_loop
/home/yega/Documents/vim/vimlsp/vim/src/main.c:1427
#8 0x55c51e5e79e0 in vim_main2
/home/yega/Documents/vim/vimlsp/vim/src/main.c:887
#9 0x55c51e5e6e23 in main /home/yega/Documents/vim/vimlsp/vim/src/main.c:433
#10 0x7f25e1029d8f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-buffer-overflow
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:799
in __interceptor_memset
Shadow bytes around the buggy address:
0x0c107fffaa20: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x0c107fffaa30: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x0c107fffaa40: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x0c107fffaa50: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x0c107fffaa60: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
=>0x0c107fffaa70: fa fa fa fa 00 00 00 00 00 00 00 00 00 00[03]fa
0x0c107fffaa80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fffaa90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fffaaa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fffaab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fffaac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==67409==ABORTING
- Yegappan
If you source the attached script and press <F3> multiple times
(atleast 40 times)
followed by <F4> multiple times, you will see that Vim crashes. Also
this script
illustrates the problem with virtual text not rendering properly when
a line starts
with a tab character.
The ASAN traceback is below:
=================================================================
==67409==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6080000153f3 at pc 0x7f25e1e39c23 bp 0x7ffcd0a71fd0 sp
0x7ffcd0a71778
WRITE of size 88 at 0x6080000153f3 thread T0
#0 0x7f25e1e39c22 in __interceptor_memset
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:799
#1 0x55c51d913be1 in text_prop_position
/home/yega/Documents/vim/vimlsp/vim/src/drawline.c:723
#2 0x55c51d926ed2 in win_line
/home/yega/Documents/vim/vimlsp/vim/src/drawline.c:2124
#3 0x55c51d961278 in win_update
/home/yega/Documents/vim/vimlsp/vim/src/drawscreen.c:2484
#4 0x55c51d941534 in update_screen
/home/yega/Documents/vim/vimlsp/vim/src/drawscreen.c:324
#5 0x55c51e5e9298 in main_loop
/home/yega/Documents/vim/vimlsp/vim/src/main.c:1427
#6 0x55c51e5e79e0 in vim_main2
/home/yega/Documents/vim/vimlsp/vim/src/main.c:887
#7 0x55c51e5e6e23 in main /home/yega/Documents/vim/vimlsp/vim/src/main.c:433
#8 0x7f25e1029d8f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#9 0x7f25e1029e3f in __libc_start_main_impl ../csu/libc-start.c:392
#10 0x55c51d7bb784 in _start
(/home/yega/Documents/vim/vimlsp/vim/src/vim+0x129f784)
0x6080000153f3 is located 0 bytes to the right of 83-byte region
[0x6080000153a0,0x6080000153f3)
allocated by thread T0 here:
#0 0x7f25e1eb4867 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55c51d7bbc3c in lalloc
/home/yega/Documents/vim/vimlsp/vim/src/alloc.c:246
#2 0x55c51d7bb9fe in alloc
/home/yega/Documents/vim/vimlsp/vim/src/alloc.c:151
#3 0x55c51d913aa6 in text_prop_position
/home/yega/Documents/vim/vimlsp/vim/src/drawline.c:712
#4 0x55c51d926ed2 in win_line
/home/yega/Documents/vim/vimlsp/vim/src/drawline.c:2124
#5 0x55c51d961278 in win_update
/home/yega/Documents/vim/vimlsp/vim/src/drawscreen.c:2484
#6 0x55c51d941534 in update_screen
/home/yega/Documents/vim/vimlsp/vim/src/drawscreen.c:324
#7 0x55c51e5e9298 in main_loop
/home/yega/Documents/vim/vimlsp/vim/src/main.c:1427
#8 0x55c51e5e79e0 in vim_main2
/home/yega/Documents/vim/vimlsp/vim/src/main.c:887
#9 0x55c51e5e6e23 in main /home/yega/Documents/vim/vimlsp/vim/src/main.c:433
#10 0x7f25e1029d8f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-buffer-overflow
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:799
in __interceptor_memset
Shadow bytes around the buggy address:
0x0c107fffaa20: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x0c107fffaa30: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x0c107fffaa40: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x0c107fffaa50: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x0c107fffaa60: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
=>0x0c107fffaa70: fa fa fa fa 00 00 00 00 00 00 00 00 00 00[03]fa
0x0c107fffaa80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fffaa90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fffaaa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fffaab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fffaac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==67409==ABORTING
- Yegappan
Bram Moolenaar
May 2, 2023, 7:39:11 PM5/2/23
to vim...@googlegroups.com, Yegappan Lakshmanan
[resend, picky postmaster refused the message]
Yegappan wrote:
> If you source the attached script and press <F3> multiple times
> (atleast 40 times)
> followed by <F4> multiple times, you will see that Vim crashes. Also
> this script
> illustrates the problem with virtual text not rendering properly when
> a line starts with a tab character.
>
> The ASAN traceback is below:
It doesn't look like it has anything to do with a Tab character, but
with a very large "padding" value. Computations then cause the "after"
count to go negative.
I'll make a fix with a much simpler test. You can check with the
complicated reproduction case as well.
--
An SQL statement walks into a bar. He approaches two tables
and says, "Mind if I join you?"
/// Bram Moolenaar -- Br...@Moolenaar.net -- http://www.Moolenaar.net \\\
/// \\\
\\\ sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
Bram Moolenaar
May 2, 2023, 7:39:11 PM5/2/23
to vim...@googlegroups.com, Yegappan Lakshmanan
[resend, picky postmaster refused the message]
Yegappan wrote:
> If you source the attached script and press <F3> multiple times
> (atleast 40 times)
> followed by <F4> multiple times, you will see that Vim crashes. Also
> this script
> illustrates the problem with virtual text not rendering properly when
> a line starts with a tab character.
>
> The ASAN traceback is below:
> (atleast 40 times)
> followed by <F4> multiple times, you will see that Vim crashes. Also
> this script
> illustrates the problem with virtual text not rendering properly when
> a line starts with a tab character.
>
> The ASAN traceback is below:
Reply all
Reply to author
Forward
0 new messages