[vim/vim] Segfault with ale linter and automatic buffer tabification (#2239)
npit
Using the ale llinter plugin with the following option to open new files in tabs:
au BufAdd,BufNewFile * nested tab sball
causes a segfault.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
Christian Brabandt
can you give a specific reproducible example?
npit
can you give a specific reproducible example?
Steps to reproduce (tested on my arch machine and a near-vanilla lubuntu zesty VM):
- Install vim-plug
- Install
python-devandpython3-devfor YCM - Install YCM in
~/.vim/plugged, compile with the default language support - Put in your vimrc the stuff below:
call plug#begin('~/.vim/plugged')
Plug 'Valloric/YouCompleteMe'
call plug#end()
au BufAdd,BufNewFile * nested tab sball
- I can reproduce the segmentation fault on my own files as well as on a file from tensorflow:
git clone https://github.com/tensorflow/tensorflow.git
cd tensorflow
vim tensorflow/python/util/decorator_utils_test.py
In vim
- goto line 36
- type
self. - press and hold C-N to crash
In some files you have to hold C-N, in others just pressing it a couple of times is enough.
Dominique Pellé
I have not had the time to try to reproduce it.
Could you perhaps reproduce the bug when running Vim with valgrind,
or when building vim with asan. You can build Vim with asan by uncommenting
this line in vim/src/Makefile:
#SANITIZER_CFLAGS = -g -O0 -fsanitize=address -fno-omit-frame-pointer
Then reproduce the crash and it should more useful information on
stderr (stacks, etc.)
Also, which version of Vim are you using? Make sure you use the latest
one in Git to avoid running into issues already fixed.
Christian Brabandt
please show exact version and as Dominque pointed out, try to get a stacktrace from asan or use valgrind and show the resulting logfile. Also I am confused, is this a YCM or ale related crash?
npit
please show exact version
vim --version yields:
VIM - Vi IMproved 8.0 (2016 Sep 12, compiled Oct 7 2017 13:52:29)
Included patches: 1-1176
Compiled by Arch Linux
Huge version without GUI. Features included (+) or not (-):
+acl +file_in_path +mouse_sgr +tag_old_static
+arabic +find_in_path -mouse_sysmouse -tag_any_white
+autocmd +float +mouse_urxvt +tcl/dyn
-balloon_eval +folding +mouse_xterm +termguicolors
-browse -footer +multi_byte +terminal
++builtin_terms +fork() +multi_lang +terminfo
+byte_offset +gettext -mzscheme +termresponse
+channel -hangul_input +netbeans_intg +textobjects
+cindent +iconv +num64 +timers
-clientserver +insert_expand +packages +title
-clipboard +job +path_extra -toolbar
+cmdline_compl +jumplist +perl/dyn +user_commands
+cmdline_hist +keymap +persistent_undo +vertsplit
+cmdline_info +lambda +postscript +virtualedit
+comments +langmap +printer +visual
+conceal +libcall +profile +visualextra
+cryptv +linebreak +python/dyn +viminfo
+cscope +lispindent +python3/dyn +vreplace
+cursorbind +listcmds +quickfix +wildignore
+cursorshape +localmap +reltime +wildmenu
+dialog_con +lua/dyn +rightleft +windows
+diff +menu +ruby/dyn +writebackup
+digraphs +mksession +scrollbind -X11
-dnd +modify_fname +signs -xfontset
-ebcdic +mouse +smartindent -xim
+emacs_tags -mouseshape +startuptime -xpm
+eval +mouse_dec +statusline -xsmp
+ex_extra +mouse_gpm -sun_workshop -xterm_clipboard
+extra_search -mouse_jsbterm +syntax -xterm_save
+farsi +mouse_netterm +tag_binary
system vimrc file: "/etc/vimrc"
user vimrc file: "$HOME/.vimrc"
2nd user vimrc file: "~/.vim/vimrc"
user exrc file: "$HOME/.exrc"
defaults file: "$VIMRUNTIME/defaults.vim"
fall-back for $VIM: "/usr/share/vim"
Compilation: gcc -c -I. -Iproto -DHAVE_CONFIG_H -D_FORTIFY_SOURCE=2 -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1
Linking: gcc -L. -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -fstack-protector -rdynamic -Wl,-export-dynamic -Wl,-E -Wl,-rpath,/usr/lib/perl5/5.26/core_perl/CORE -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -L/usr/local/lib -Wl,--as-needed -o vim -lm -lncurses -lelf -lnsl -lacl -lattr -lgpm -ldl -Wl,-E -Wl,-rpath,/usr/lib/perl5/5.26/core_perl/CORE -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -fstack-protector-strong -L/usr/local/lib -L/usr/lib/perl5/5.26/core_perl/CORE -lperl -lpthread -lnsl -ldl -lm -lcrypt -lutil -lc -L/usr/lib -ltclstub8.6 -ldl -lz -lpthread -lieee -lm
Make sure you use the latest one in Git to avoid running into issues already fixed.
I am sorry, I do not have the time to configure & build vim from source.
Also I am confused, is this a YCM or ale related crash?
It is a YCM-related crash but I messed up the original thread title. I am sorry for the confusion.
Dominique Pellé
I can reproduce it with the latest vim-8.0.1214 (latest in git).
Vim crashes when pressing CTRL-N after doing the steps described
by @npit in earlier comments.
When Vim is built with the address sanitizer, I get this error
after pressing CTRL-N:
=================================================================
==9894==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621001195113 at pc 0x000000672f25 bp 0x7ffdb44e9870 sp 0x7ffdb44e9860
READ of size 1 at 0x621001195113 thread T0
#0 0x672f24 in utf_head_off /home/dope/sb/vim/src/mbyte.c:3833
#1 0x9abac7 in getvcol /home/dope/sb/vim/src/charset.c:1302
#2 0x9ace3f in getvvcol /home/dope/sb/vim/src/charset.c:1477
#3 0x65ecd7 in curs_columns /home/dope/sb/vim/src/move.c:962
#4 0x65cc0f in validate_cursor /home/dope/sb/vim/src/move.c:642
#5 0x7bffae in setcursor /home/dope/sb/vim/src/screen.c:9432
#6 0x462c50 in show_pum /home/dope/sb/vim/src/edit.c:5752
#7 0x462a52 in ins_complete /home/dope/sb/vim/src/edit.c:5729
#8 0x44f801 in edit /home/dope/sb/vim/src/edit.c:1460
#9 0x6b2b74 in invoke_edit /home/dope/sb/vim/src/normal.c:9181
#10 0x6b29a9 in nv_edit /home/dope/sb/vim/src/normal.c:9151
#11 0x67fffd in normal_cmd /home/dope/sb/vim/src/normal.c:1150
#12 0x9b61af in main_loop /home/dope/sb/vim/src/main.c:1364
#13 0x9b5496 in vim_main2 /home/dope/sb/vim/src/main.c:905
#14 0x9b4802 in main /home/dope/sb/vim/src/main.c:429
#15 0x7fae2743b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#16 0x411fa8 in _start (/home/dope/sb/vim/src/vim+0x411fa8)
0x621001195113 is located 19 bytes to the right of 4096-byte region [0x621001194100,0x621001195100)
allocated by thread T0 here:
#0 0x7fae2b6d2602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x648fed in lalloc /home/dope/sb/vim/src/misc2.c:954
#2 0x648e4a in alloc /home/dope/sb/vim/src/misc2.c:852
#3 0x9c264b in mf_alloc_bhdr /home/dope/sb/vim/src/memfile.c:907
#4 0x9c09b7 in mf_new /home/dope/sb/vim/src/memfile.c:381
#5 0x605446 in ml_new_data /home/dope/sb/vim/src/memline.c:3515
#6 0x5f718e in ml_open /home/dope/sb/vim/src/memline.c:400
#7 0x4135d0 in open_buffer /home/dope/sb/vim/src/buffer.c:163
#8 0x41a6df in enter_buffer /home/dope/sb/vim/src/buffer.c:1788
#9 0x41a101 in set_curbuf /home/dope/sb/vim/src/buffer.c:1722
#10 0x42ca01 in ex_buffer_all /home/dope/sb/vim/src/buffer.c:5298
#11 0x522d13 in do_one_cmd /home/dope/sb/vim/src/ex_docmd.c:2908
#12 0x51b382 in do_cmdline /home/dope/sb/vim/src/ex_docmd.c:1071
#13 0x59e934 in apply_autocmds_group /home/dope/sb/vim/src/fileio.c:9629
#14 0x59d563 in apply_autocmds /home/dope/sb/vim/src/fileio.c:9173
#15 0x41c1e8 in buflist_new /home/dope/sb/vim/src/buffer.c:2141
#16 0x4ec028 in do_ecmd /home/dope/sb/vim/src/ex_cmds.c:3845
#17 0x721572 in pum_set_selected /home/dope/sb/vim/src/popupmnu.c:601
#18 0x71feab in pum_display /home/dope/sb/vim/src/popupmnu.c:267
#19 0x45664c in ins_compl_show_pum /home/dope/sb/vim/src/edit.c:3098
#20 0x462c4b in show_pum /home/dope/sb/vim/src/edit.c:5751
#21 0x462a52 in ins_complete /home/dope/sb/vim/src/edit.c:5729
#22 0x44f801 in edit /home/dope/sb/vim/src/edit.c:1460
#23 0x6b2b74 in invoke_edit /home/dope/sb/vim/src/normal.c:9181
#24 0x6b29a9 in nv_edit /home/dope/sb/vim/src/normal.c:9151
#25 0x67fffd in normal_cmd /home/dope/sb/vim/src/normal.c:1150
#26 0x9b61af in main_loop /home/dope/sb/vim/src/main.c:1364
#27 0x9b5496 in vim_main2 /home/dope/sb/vim/src/main.c:905
#28 0x9b4802 in main /home/dope/sb/vim/src/main.c:429
#29 0x7fae2743b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/dope/sb/vim/src/mbyte.c:3833 utf_head_off
Shadow bytes around the buggy address:
0x0c428022a9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c428022a9e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c428022a9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c428022aa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c428022aa10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c428022aa20: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c428022aa30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c428022aa40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c428022aa50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c428022aa60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c428022aa70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==9894==ABORTING
I'll find time to debug later.
micbou
A simpler way to reproduce the crash is to use the default Python omnifunc:
- start Vim with the following vimrc:
set nocompatible filetype plugin on
au BufAdd,BufNewFile * nested tab sball
- create a new Python file and insert the code:
import os
os.- trigger the
pythoncomplete#Completeomnifunc with<C-X><C-O>; - go through the list of completions by continuously pressing the
<C-N>key.
It should segfault after a few seconds.
I don't think opening a new tab each time the preview window is opened is desirable so I would ignore this window to avoid the crash:
au BufAdd,BufNewFile * nested call Tabify() function! Tabify() if !&previewwindow tab sball endif endfunction
Christian Brabandt
Hm, I see a different stacktrace:
#0 __memmove_sse2_unaligned_erms ()
at ../sysdeps/x86_64/multiarch/../multiarch/memmove-vec-unaligned-erms.S:479
#1 0x000055555567ad73 in ins_char_bytes (buf=0x555555dc6d98 "(", charlen=1) at misc1.c:2316
#2 0x000055555567a9c0 in ins_bytes_len (p=0x555555dc6d97 "d(", len=2) at misc1.c:2162
#3 0x000055555567a939 in ins_bytes (p=0x555555dc6d97 "d(") at misc1.c:2137
#4 0x00005555555c8b36 in ins_compl_insert (in_compl_func=0) at edit.c:4718
#5 0x00005555555c91e0 in ins_compl_next (allow_get_expansion=1, count=1, insert_match=1,
in_compl_func=0) at edit.c:4916
#6 0x00005555555ca78f in ins_complete (c=14, enable_pum=1) at edit.c:5577
#7 0x00005555555c30fb in edit (cmdchar=105, startln=0, count=1) at edit.c:1460
#8 0x00005555556a9a40 in invoke_edit (cap=0x7fffffffdf30, repl=0, cmd=105, startln=0) at normal.c:9182
#9 0x00005555556a99bc in nv_edit (cap=0x7fffffffdf30) at normal.c:9152
#10 0x000055555569b4ed in normal_cmd (oap=0x7fffffffe000, toplevel=1) at normal.c:1150
#11 0x00005555557de166 in main_loop (cmdwin=0, noexmode=0) at main.c:1364
#12 0x00005555557dd8d2 in vim_main2 () at main.c:905
#13 0x00005555557dd08a in main (argc=3, argv=0x7fffffffe1f8) at main.c:429
frame 1
p linelen
10
p col
11
I think, this patch should fix it:
diff --git a/src/misc1.c b/src/misc1.c index f7789ff79..e5ab1328e 100644 --- a/src/misc1.c +++ b/src/misc1.c @@ -2313,7 +2313,8 @@ ins_char_bytes(char_u *buf, int charlen) /* Copy bytes after the changed character(s). */ p = newp + col; - mch_memmove(p + newlen, oldp + col + oldlen, + if (linelen > (col + oldlen)) + mch_memmove(p + newlen, oldp + col + oldlen, (size_t)(linelen - col - oldlen)); /* Insert or overwrite the new character. */
After recompiling with asan enabled, I still get a crash (much later) with the same trace as Dominique.
Will have a look later.
Christian Brabandt
looking a bit further, I see that pos->col is greater then the line pointer.
So how about this patch:
diff --git a/src/charset.c b/src/charset.c index 4516816fe..ca07e066e 100644 --- a/src/charset.c +++ b/src/charset.c @@ -1287,6 +1287,8 @@ getvcol( vcol = 0; line = ptr = ml_get_buf(wp->w_buffer, pos->lnum, FALSE); + if (pos->col > (colnr_T)STRLEN(ptr)) + pos->col = STRLEN(ptr); if (pos->col == MAXCOL) posptr = NULL; /* continue until the NUL */ else
This might be only a workaround, not sure, why pos->col would be larger then expected.
Christian Brabandt
Okay, so the completion code cannot handle, that the tabpages are switched. BTW: That autocommand does not make any sense here. It will add many many unnamed tabpages just for those preview windows. I intentionally did not disable autocommands for the preview window, that might be another solution. Here is a fix, that saves and restores the tabpage correctly, after the preview window has been opened. chrisbra/vim@8e16782
Patch includes a test.
Also I think that this commit: chrisbra/vim@8ff15fe
(minus the sanitizer flags) should be included as well as a safeguard.