[vim/vim] 9.0.815 segfaults whenever `:![anything]` is run (Issue #11424)

58 views
Skip to first unread message

chdiza

unread,
Oct 22, 2022, 10:02:27 AM10/22/22
to vim/vim, Subscribed

Steps to reproduce

Start vim, and try :!ls.

Expected behaviour

I expect Vim not to crash. But it does. Please revert.

Version of Vim

9.0.815

Environment

Ubuntu 20.04

Logs and stack traces

No response


Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/issues/11424@github.com>

Dominique Pellé

unread,
Oct 22, 2022, 12:52:10 PM10/22/22
to vim/vim, Subscribed

With my ~/.vimrc, Vim crashes on startup at 9.0.0815. And with asan, I see:

=================================================================
==7593==ERROR: AddressSanitizer: heap-use-after-free on address 0x000108764450 at pc 0x000104a83200 bp 0x00016dbfc320 sp 0x00016dbfbad8
READ of size 2 at 0x000108764450 thread T0
    #0 0x104a831fc in wrap_strlen+0x164 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x131fc)
    #1 0x1025b8f04 in do_bang ex_cmds.c:934
    #2 0x102661000 in ex_bang ex_docmd.c:8169
    #3 0x102603710 in do_one_cmd ex_docmd.c:2578
    #4 0x1025f1ad0 in do_cmdline ex_docmd.c:990
    #5 0x102db6ce8 in do_source_ext scriptfile.c:1667
    #6 0x102db3520 in do_source scriptfile.c:1811
    #7 0x1035f85f4 in source_startup_scripts main.c:3235
    #8 0x1035ec9d8 in main main.c:420
    #9 0x1042d1088 in start+0x204 (dyld:arm64e+0x5088)

0x000108764450 is located 0 bytes inside of 27-byte region [0x000108764450,0x00010876446b)
freed by thread T0 here:
    #0 0x104aad090 in wrap_free+0x98 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3d090)
    #1 0x1021ff3f4 in vim_free alloc.c:615
    #2 0x1025b8ef4 in do_bang ex_cmds.c:933
    #3 0x102661000 in ex_bang ex_docmd.c:8169
    #4 0x102603710 in do_one_cmd ex_docmd.c:2578
    #5 0x1025f1ad0 in do_cmdline ex_docmd.c:990
    #6 0x102db6ce8 in do_source_ext scriptfile.c:1667
    #7 0x102db3520 in do_source scriptfile.c:1811
    #8 0x1035f85f4 in source_startup_scripts main.c:3235
    #9 0x1035ec9d8 in main main.c:420
    #10 0x1042d1088 in start+0x204 (dyld:arm64e+0x5088)

previously allocated by thread T0 here:
    #0 0x104aacf54 in wrap_malloc+0x94 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3cf54)
    #1 0x1021fefe8 in lalloc alloc.c:246
    #2 0x1021fef34 in alloc alloc.c:151
    #3 0x1025b8e38 in do_bang ex_cmds.c:922
    #4 0x102661000 in ex_bang ex_docmd.c:8169
    #5 0x102603710 in do_one_cmd ex_docmd.c:2578
    #6 0x1025f1ad0 in do_cmdline ex_docmd.c:990
    #7 0x102db6ce8 in do_source_ext scriptfile.c:1667
    #8 0x102db3520 in do_source scriptfile.c:1811
    #9 0x1035f85f4 in source_startup_scripts main.c:3235
    #10 0x1035ec9d8 in main main.c:420
    #11 0x1042d1088 in start+0x204 (dyld:arm64e+0x5088)

SUMMARY: AddressSanitizer: heap-use-after-free (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x131fc) in wrap_strlen+0x164
Shadow bytes around the buggy address:
  0x00702110c830: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fa
  0x00702110c840: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x00702110c850: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x00702110c860: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fa
  0x00702110c870: fa fa fd fd fd fa fa fa fd fd fd fa fa fa 00 00
=>0x00702110c880: 06 fa fa fa 00 00 00 07 fa fa[fd]fd fd fd fa fa
  0x00702110c890: fd fd fd fd fa fa fd fd fd fa fa fa 00 00 00 04
  0x00702110c8a0: fa fa 00 00 05 fa fa fa 00 00 00 02 fa fa fd fd
  0x00702110c8b0: fd fa fa fa 00 00 00 07 fa fa fd fd fd fd fa fa
  0x00702110c8c0: 00 00 02 fa fa fa 00 00 00 05 fa fa 00 00 06 fa
  0x00702110c8d0: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==7593==ABORTING
Vim: Caught deadly signal ABRT
Vim: Finished.
Abort trap: 6

And:

$ ./vim --clean -c'!'
Vim: Caught deadly signal ABRT
Vim: Finished.
Abort trap: 6


Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/issues/11424/1287853363@github.com>

Marius Gedminas

unread,
Oct 22, 2022, 2:54:22 PM10/22/22
to vim/vim, Subscribed

I'm seeing this too with 9.0.815. gdb shows the SIGSEGV happening at

(gdb) bt
#0  0x00007ffff5ea07cf in tcache_get (tc_idx=<optimized out>) at ./malloc/malloc.c:3190
#1  __GI___libc_malloc (bytes=3) at ./malloc/malloc.c:3307
#2  0x00005555555f004c in lalloc (size=3, message=1) at alloc.c:246
#3  0x00005555555efee0 in alloc (size=3) at alloc.c:151
#4  0x000055555576885a in unix_build_argv (cmd=0x555555fce620 "/bin/bash", argvp=0x7fffffffcb10, sh_tofree=0x7fffffffcb18, shcf_tofree=0x7fffffffcb20) at os_unix.c:4449
#5  0x0000555555768ce0 in mch_call_shell_fork (cmd=0x555555fce620 "/bin/bash", options=4) at os_unix.c:4674
#6  0x000055555576a106 in mch_call_shell (cmd=0x555555fce620 "/bin/bash", options=4) at os_unix.c:5487
#7  0x000055555572946e in call_shell (cmd=0x555555fce620 "/bin/bash", opt=4) at misc2.c:1826
#8  0x000055555567f8f2 in do_shell (cmd=0x555555fce620 "/bin/bash", flags=0) at ex_cmds.c:1413
#9  0x000055555567eebe in do_bang (addr_count=0, eap=0x7fffffffcf20, forceit=0, do_in=1, do_out=1) at ex_cmds.c:1009
#10 0x00005555556986ee in ex_bang (eap=0x7fffffffcf20) at ex_docmd.c:8169
#11 0x000055555568d38c in do_one_cmd (cmdlinep=0x7fffffffd150, flags=0, cstack=0x7fffffffd230, fgetline=0x5555556a543d <getexline>, cookie=0x0) at ex_docmd.c:2578
#12 0x000055555568a23e in do_cmdline (cmdline=0x0, fgetline=0x5555556a543d <getexline>, cookie=0x0, flags=0) at ex_docmd.c:990
#13 0x000055555573ca91 in nv_colon (cap=0x7fffffffd920) at normal.c:3183
#14 0x00005555557388a6 in normal_cmd (oap=0x7fffffffd9b0, toplevel=1) at normal.c:920
#15 0x000055555592d7a0 in main_loop (cmdwin=0, noexmode=0) at main.c:1524
#16 0x000055555592ca46 in vim_main2 () at main.c:886
#17 0x000055555592c0b9 in main (argc=1, argv=0x7fffffffdbe8) at main.c:432

Under valgrind vim doesn't crash, but the valgrind log shows a bunch of use-after-free reads and writes in do_bang.


Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/issues/11424/1287883186@github.com>

Marius Gedminas

unread,
Oct 22, 2022, 2:57:46 PM10/22/22
to vim/vim, Subscribed

git bisect blames commit 9c50eeb


Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/issues/11424/1287883819@github.com>

Shane-XB-Qian

unread,
Oct 24, 2022, 2:07:07 AM10/24/22
to vim/vim, Subscribed

v9.0.815

1,

/bin/bash: line 1: $'\221\247\356^\032Vclear': command not found

shell returned 127

Press ENTER or type command to continueVim: Caught deadly signal SEGV
Segmentation fault

2,


/bin/bash: line 1: $'\370COM\210Uclear': command not found

shell returned 127

Press ENTER or type command to continueVim: Caught deadly signal SEGV
Segmentation fault


Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/issues/11424/1288463201@github.com>

Shane-XB-Qian

unread,
Oct 24, 2022, 2:08:42 AM10/24/22
to vim/vim, Subscribed

there are some stray chars, but was just :!clear


Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/issues/11424/1288464758@github.com>

Tony Mechelynck

unread,
Oct 24, 2022, 5:10:34 AM10/24/22
to vim/vim, Subscribed

I confirm the problem.
With :!ls I don't get any output from the ls program, gvim kills itself and Caught deadly signal SEGV appears in the xterm after gvim -S. (Compiled with -terminal, if this makes any difference.)


Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/issues/11424/1288698884@github.com>

Tony Mechelynck

unread,
Oct 24, 2022, 5:29:50 AM10/24/22
to vim/vim, Subscribed

P.S. Sorry: ...appears after the shell prompt, one line below gvim -S.


Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/issues/11424/1288726642@github.com>

Sudershan Ganesan

unread,
Oct 25, 2022, 11:40:39 PM10/25/22
to vim/vim, Subscribed

I confirm too. Any command starting with :!ls triggers a Caught deadly signal SEGV


Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/issues/11424/1291454134@github.com>

Bram Moolenaar

unread,
Oct 27, 2022, 6:15:38 PM10/27/22
to vim/vim, Subscribed


> ### Steps to reproduce
>
> Start vim, and try `:!ls`.
>
> ### Expected behaviour

>
> I expect Vim not to crash. But it does. Please revert.

Sorry, I had a fix but it looks like it didn't get committed.
There is a stray vim_free() somewhere that should be removed or put
after a condition. Please create a PR if you can. I hope I'll have a
chance to include it.

--
"Lisp has all the visual appeal of oatmeal with nail clippings thrown in."
-- Larry Wall

/// Bram Moolenaar -- ***@***.*** -- http://www.Moolenaar.net \\\
/// \\\
\\\ sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///


Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/issues/11424/1294163254@github.com>

Bram Moolenaar

unread,
Oct 28, 2022, 4:36:17 AM10/28/22
to vim...@googlegroups.com, Bram Moolenaar

I wrote:

> > ### Steps to reproduce
> >
> > Start vim, and try `:!ls`.
> >
> > ### Expected behaviour
> >
> > I expect Vim not to crash. But it does. Please revert.
>
> Sorry, I had a fix but it looks like it didn't get committed.
> There is a stray vim_free() somewhere that should be removed or put
> after a condition. Please create a PR if you can. I hope I'll have a
> chance to include it.

It looks like I actually fixed it already, but the "git push" didn't get
through. Did that now, please check. May still need to update the
commit messages and tags, please provide me with the right commands (git
isn't easy to figure out....).

--
ARTHUR: I've said I'm sorry about the old woman, but from the behind you
looked ...
DENNIS: What I object to is that you automatically treat me like an inferior...
ARTHUR: Well ... I AM king.
"Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD

/// Bram Moolenaar -- Br...@Moolenaar.net -- http://www.Moolenaar.net \\\

Bram Moolenaar

unread,
Nov 25, 2022, 12:54:39 PM11/25/22
to vim/vim, Subscribed

Closed #11424 as completed.


Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/issue/11424/issue_event/7894625775@github.com>

Bram Moolenaar

unread,
Nov 25, 2022, 12:54:40 PM11/25/22
to vim/vim, Subscribed

This was already fixed.


Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/issues/11424/1327750153@github.com>

Reply all
Reply to author
Forward
0 new messages