[vim/vim] bt_quickfix() is slow (Issue #19169)

zeertzjq

unread,

3:44 AM (19 hours ago) 3:44 AM

to vim/vim, Subscribed

zeertzjq created an issue (vim/vim#19169)

Steps to reproduce

Run vim --clean
Source the following file:

file Xfoo
setlocal bufhidden=hide
for i in range(1000)
  exe $'badd X{i}'
endfor

let start = localtime()
for i in range(10000)
  enew | clearjumps | bwipe
endfor
echomsg localtime() - start

Running :enew | clearjumps | bwipe 10000 times takes very long (22 seconds for me locally) as the :bwipe command is O(N^2) when there are many unloaded buffers

Expected behaviour

:bwipe should be O(N). Without the change to bt_quickfix() from patch 9.0.1859, running :enew | clearjumps | bwipe 10000 times only takes about 1 second.

To solve this, presumably the buf_valid() call needs to be removed from bt_quickfix() and moved to some function that was called less frequently, as other bt_ functions don't call buf_valid() either. However, I can't reproduce the heap-use-after-free even if I check out 9.0.1859 and remove the bt_quickfix() change.

Version of Vim

9.1.2081

Environment

Operating system: Arch Linux
Terminal: kitty 0.45.0
Value of $TERM: xterm-kitty
Shell: fish 4.3.3

Logs and stack traces

—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.

Christian Brabandt

unread,

2:36 PM (8 hours ago) 2:36 PM

to vim/vim, Subscribed

chrisbra left a comment (vim/vim#19169)

I can only reproduce it, when run interactively. The test itself does not trigger an asan dump, possibly because it does not go through win_line().

  =================================================================
  ==491592==ERROR: AddressSanitizer: heap-use-after-free on address 0x525000015c38 at pc 0xaaaab42f0480 bp 0xfffffa28b9b0 sp 0xfffffa28b9c8
  READ of size 8 at 0x525000015c38 thread T0
      #0 0xaaaab42f047c in bt_quickfix /mnt/home/chrisbra/code/vim-upstream/src/buffer.c:5780
      #1 0xaaaab431bbac in win_line /mnt/home/chrisbra/code/vim-upstream/src/drawline.c:1459
      #2 0xaaaab4324508 in win_update /mnt/home/chrisbra/code/vim-upstream/src/drawscreen.c:2506
      #3 0xaaaab4326264 in update_screen /mnt/home/chrisbra/code/vim-upstream/src/drawscreen.c:324
      #4 0xaaaab457d9cc in main_loop /mnt/home/chrisbra/code/vim-upstream/src/main.c:1450
      #5 0xaaaab457e7ec in vim_main2 /mnt/home/chrisbra/code/vim-upstream/src/main.c:895
      #6 0xaaaab42a9844 in main /mnt/home/chrisbra/code/vim-upstream/src/main.c:441
      #7 0xffffbd112298  (/lib/aarch64-linux-gnu/libc.so.6+0x22298) (BuildId: b32c35038e644c70c27979cb0b90182f43f6794b)
      #8 0xffffbd112378 in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x22378) (BuildId: b32c35038e644c70c27979cb0b90182f43f6794b)
      #9 0xaaaab42aabec in _start (/mnt/home/chrisbra/code/vim-upstream/src/vim+0xfabec) (BuildId: 4bbfd5b8b5a631ddd08f44092eaa271616a5341c)

  0x525000015c38 is located 6968 bytes inside of 9424-byte region [0x525000014100,0x5250000165d0)
  freed by thread T0 here:
      #0 0xffffbef192b4 in free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
      #1 0xaaaab42bd2c8 in free_buffer /mnt/home/chrisbra/code/vim-upstream/src/buffer.c:993
      #2 0xaaaab42bb288 in close_buffer /mnt/home/chrisbra/code/vim-upstream/src/buffer.c:778
      #3 0xaaaab42f2bf0 in wipe_buffer /mnt/home/chrisbra/code/vim-upstream/src/buffer.c:6060
      #4 0xaaaab42f2a18 in buf_contents_changed /mnt/home/chrisbra/code/vim-upstream/src/buffer.c:6039
      #5 0xaaaab438658c in buf_check_timestamp /mnt/home/chrisbra/code/vim-upstream/src/fileio.c:4207
      #6 0xaaaab435af30 in do_ecmd /mnt/home/chrisbra/code/vim-upstream/src/ex_cmds.c:2755
      #7 0xaaaab43709a4 in do_exedit /mnt/home/chrisbra/code/vim-upstream/src/ex_docmd.c:7235
      #8 0xaaaab436f390 in do_one_cmd /mnt/home/chrisbra/code/vim-upstream/src/ex_docmd.c:2582
      #9 0xaaaab436f390 in do_cmdline /mnt/home/chrisbra/code/vim-upstream/src/ex_docmd.c:994
      #10 0xaaaab4479184 in do_source_ext /mnt/home/chrisbra/code/vim-upstream/src/scriptfile.c:1762
      #11 0xaaaab447a180 in do_source /mnt/home/chrisbra/code/vim-upstream/src/scriptfile.c:1908
      #12 0xaaaab447a180 in cmd_source /mnt/home/chrisbra/code/vim-upstream/src/scriptfile.c:1253
      #13 0xaaaab436f390 in do_one_cmd /mnt/home/chrisbra/code/vim-upstream/src/ex_docmd.c:2582
      #14 0xaaaab436f390 in do_cmdline /mnt/home/chrisbra/code/vim-upstream/src/ex_docmd.c:994
      #15 0xaaaab43f8c70 in nv_colon /mnt/home/chrisbra/code/vim-upstream/src/normal.c:3204
      #16 0xaaaab43fe464 in normal_cmd /mnt/home/chrisbra/code/vim-upstream/src/normal.c:947
      #17 0xaaaab457d77c in main_loop /mnt/home/chrisbra/code/vim-upstream/src/main.c:1562
      #18 0xaaaab457e7ec in vim_main2 /mnt/home/chrisbra/code/vim-upstream/src/main.c:895
      #19 0xaaaab42a9844 in main /mnt/home/chrisbra/code/vim-upstream/src/main.c:441
      #20 0xffffbd112298  (/lib/aarch64-linux-gnu/libc.so.6+0x22298) (BuildId: b32c35038e644c70c27979cb0b90182f43f6794b)
      #21 0xffffbd112378 in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x22378) (BuildId: b32c35038e644c70c27979cb0b90182f43f6794b)
      #22 0xaaaab42aabec in _start (/mnt/home/chrisbra/code/vim-upstream/src/vim+0xfabec) (BuildId: 4bbfd5b8b5a631ddd08f44092eaa271616a5341c)

  previously allocated by thread T0 here:
      #0 0xffffbef19e4c in calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
      #1 0xaaaab42aaf3c in lalloc /mnt/home/chrisbra/code/vim-upstream/src/alloc.c:246
      #2 0xaaaab42aaf3c in alloc_clear /mnt/home/chrisbra/code/vim-upstream/src/alloc.c:177
      #3 0xaaaab42c634c in buflist_new /mnt/home/chrisbra/code/vim-upstream/src/buffer.c:2161
      #4 0xaaaab42f25a0 in buf_contents_changed /mnt/home/chrisbra/code/vim-upstream/src/buffer.c:5996
      #5 0xaaaab438658c in buf_check_timestamp /mnt/home/chrisbra/code/vim-upstream/src/fileio.c:4207
      #6 0xaaaab435af30 in do_ecmd /mnt/home/chrisbra/code/vim-upstream/src/ex_cmds.c:2755
      #7 0xaaaab43709a4 in do_exedit /mnt/home/chrisbra/code/vim-upstream/src/ex_docmd.c:7235
      #8 0xaaaab436f390 in do_one_cmd /mnt/home/chrisbra/code/vim-upstream/src/ex_docmd.c:2582
      #9 0xaaaab436f390 in do_cmdline /mnt/home/chrisbra/code/vim-upstream/src/ex_docmd.c:994
      #10 0xaaaab4479184 in do_source_ext /mnt/home/chrisbra/code/vim-upstream/src/scriptfile.c:1762
      #11 0xaaaab447a180 in do_source /mnt/home/chrisbra/code/vim-upstream/src/scriptfile.c:1908
      #12 0xaaaab447a180 in cmd_source /mnt/home/chrisbra/code/vim-upstream/src/scriptfile.c:1253
      #13 0xaaaab436f390 in do_one_cmd /mnt/home/chrisbra/code/vim-upstream/src/ex_docmd.c:2582
      #14 0xaaaab436f390 in do_cmdline /mnt/home/chrisbra/code/vim-upstream/src/ex_docmd.c:994
      #15 0xaaaab43f8c70 in nv_colon /mnt/home/chrisbra/code/vim-upstream/src/normal.c:3204
      #16 0xaaaab43fe464 in normal_cmd /mnt/home/chrisbra/code/vim-upstream/src/normal.c:947
      #17 0xaaaab457d77c in main_loop /mnt/home/chrisbra/code/vim-upstream/src/main.c:1562
      #18 0xaaaab457e7ec in vim_main2 /mnt/home/chrisbra/code/vim-upstream/src/main.c:895
      #19 0xaaaab42a9844 in main /mnt/home/chrisbra/code/vim-upstream/src/main.c:441
      #20 0xffffbd112298  (/lib/aarch64-linux-gnu/libc.so.6+0x22298) (BuildId: b32c35038e644c70c27979cb0b90182f43f6794b)
      #21 0xffffbd112378 in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x22378) (BuildId: b32c35038e644c70c27979cb0b90182f43f6794b)
      #22 0xaaaab42aabec in _start (/mnt/home/chrisbra/code/vim-upstream/src/vim+0xfabec) (BuildId: 4bbfd5b8b5a631ddd08f44092eaa271616a5341c)

—
Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.

zeertzjq

unread,

5:56 PM (5 hours ago) 5:56 PM

to vim/vim, Subscribed

zeertzjq left a comment (vim/vim#19169)

Hmm, I can reproduce this at v9.0.1859 when sourcing bt_quickfix1_poc interactively. However, even with the buf_valid() check in bt_quickfix(), another heap-use-after-free just happens in update_screen(), so adding the buf_valid() check in bt_quickfix() didn't actually solve the problem.

—
Reply to this email directly, view it on GitHub.

You are receiving this because you are subscribed to this thread.

zeertzjq

unread,

6:50 PM (4 hours ago) 6:50 PM

to vim/vim, Subscribed

zeertzjq left a comment (vim/vim#19169)

Hmm, it seems that 9.0.2010 has fixed the problem, so the buf_valid() check can be removed.