[vim/vim] Segmentation fault - crashed. (#7471)
15 views
Skip to first unread message
Shane-XB-Qian
Dec 14, 2020, 12:21:37 PM12/14/20
to vim/vim, Subscribed
Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007fe0e47a755b in kill () at ../sysdeps/unix/syscall-template.S:78 78 ../sysdeps/unix/syscall-template.S: No such file or directory. (gdb) bt #0 0x00007fe0e47a755b in kill () at ../sysdeps/unix/syscall-template.S:78 #1 0x000055eb15fa5993 in may_core_dump () at os_unix.c:3432 #2 0x000055eb15fa7876 in may_core_dump () at os_unix.c:3383 #3 mch_exit (r=1) at os_unix.c:3398 #4 0x000055eb160bba7c in getout (exitval=1) at main.c:1689 #5 <signal handler called> #6 hash_lookup (ht=0x55eb18c7d2b0, key=0x55eb18a0b3f0 "cursorword", hash=17320409569227954934) at hashtab.c:147 #7 0x000055eb15f3bdcf in hash_find (ht=ht@entry=0x55eb18c7d2b0, key=<optimized out>) at hashtab.c:478 #8 0x000055eb15ebf7e6 in dict_find (d=d@entry=0x55eb18c7d2a0, key=<optimized out>, len=len@entry=-1) at dict.c:618 #9 0x000055eb15eec35e in f_get (argvars=0x7fffeb826310, rettv=0x7fffeb8268f0) at evalfunc.c:3704 #10 0x000055eb15eee024 in call_internal_func (name=<optimized out>, argcount=<optimized out>, argvars=0x7fffeb826310, rettv=0x7fffeb8268f0) at evalfunc.c:1958 #11 0x000055eb1605bae0 in call_func (funcname=funcname@entry=0x55eb18d23720 "get(b:, 'cursorword', get(g:, 'cursorword', 1)) && !has('vim_starting')", len=len@entry=3, rettv=rettv@entry=0x7fffeb8268f0, argcount_in=argcount_in@entry=3, argvars_in=argvars_in@entry=0x7fffeb826310, funcexe=funcexe@entry=0x7fffeb8264d0) at userfunc.c:2347 #12 0x000055eb1605be39 in get_func_tv (name=name@entry=0x55eb18d23720 "get(b:, 'cursorword', get(g:, 'cursorword', 1)) && !has('vim_starting')", len=3, rettv=rettv@entry=0x7fffeb8268f0, arg=arg@entry=0x7fffeb826870, evalarg=evalarg@entry=0x7fffeb826900, funcexe=funcexe@entry=0x7fffeb8264d0) at userfunc.c:779 #13 0x000055eb15eda416 in eval_func (arg=arg@entry=0x7fffeb826870, evalarg=evalarg@entry=0x7fffeb826900, name=name@entry=0x55eb18c726af "get(b:, 'cursorword', get(g:, 'cursorword', 1)) && !has('vim_starting')", name_len=name_len@entry=3, rettv=rettv@entry=0x7fffeb8268f0, flags=flags@entry=1, basetv=0x0) at eval.c:1956 #14 0x000055eb15edf1fd in eval7 (arg=arg@entry=0x7fffeb826870, rettv=rettv@entry=0x7fffeb8268f0, evalarg=evalarg@entry=0x7fffeb826900, want_string=want_string@entry=0) at eval.c:3351 #15 0x000055eb15edf764 in eval6 (want_string=0, evalarg=0x7fffeb826900, rettv=0x7fffeb8268f0, arg=0x7fffeb826870) at eval.c:2990 #16 eval5 (arg=0x7fffeb826870, rettv=0x7fffeb8268f0, evalarg=0x7fffeb826900) at eval.c:2760 #17 0x000055eb15edfd6c in eval4 (arg=arg@entry=0x7fffeb826870, rettv=rettv@entry=0x7fffeb8268f0, evalarg=evalarg@entry=0x7fffeb826900) at eval.c:2616 #18 0x000055eb15ee040d in eval3 (evalarg=0x7fffeb826900, rettv=0x7fffeb8268f0, arg=0x7fffeb826870) at eval.c:2477 #19 eval2 (evalarg=0x7fffeb826900, rettv=0x7fffeb8268f0, arg=0x7fffeb826870) at eval.c:2351 #20 eval1 (arg=0x7fffeb826870, rettv=0x7fffeb8268f0, evalarg=0x7fffeb826900) at eval.c:2197 #21 0x000055eb15ee14f7 in eval0 (arg=0x55eb18c726af "get(b:, 'cursorword', get(g:, 'cursorword', 1)) && !has('vim_starting')", rettv=rettv@entry=0x7fffeb8268f0, eap=eap@entry=0x7fffeb826b60, evalarg=evalarg@entry=0x7fffeb826900) at eval.c:2141 #22 0x000055eb15ef48b9 in ex_let (eap=0x7fffeb826b60) at evalvars.c:878 #23 0x000055eb15f0bef9 in do_one_cmd (cookie=0x55eb1808dc30, fgetline=0x55eb16058170 <get_func_line>, cstack=0x7fffeb826d10, flags=7, cmdlinep=0x7fffeb826ac0) at ex_docmd.c:2588 #24 do_cmdline (cmdline=cmdline@entry=0x0, fgetline=fgetline@entry=0x55eb16058170 <get_func_line>, cookie=cookie@entry=0x55eb1808dc30, flags=flags@entry=7) at ex_docmd.c:1003 #25 0x000055eb1605a03a in call_user_func (fp=fp@entry=0x55eb183a9590, argcount=argcount@entry=0, argvars=argvars@entry=0x7fffeb827a00, rettv=rettv@entry=0x7fffeb827bd0, funcexe=funcexe@entry=0x7fffeb827c00, selfdict=selfdict@entry=0x0) at userfunc.c:1731 #26 0x000055eb1605acea in call_user_func_check (selfdict=<optimized out>, funcexe=0x7fffeb827c00, rettv=0x7fffeb827bd0, argvars=0x7fffeb827a00, argcount=0, fp=0x55eb183a9590) at userfunc.c:1871 #27 call_user_func_check (fp=0x55eb183a9590, argcount=0, argvars=0x7fffeb827a00, rettv=0x7fffeb827bd0, funcexe=0x7fffeb827c00, selfdict=<optimized out>) at userfunc.c:1835 #28 0x000055eb1605b778 in call_func (funcname=funcname@entry=0x55eb18c7c6a0 "cursorword#matchadd", len=len@entry=-1, rettv=rettv@entry=0x7fffeb827bd0, argcount_in=argcount_in@entry=0, argvars_in=argvars_in@entry=0x7fffeb827a00, funcexe=funcexe@entry=0x7fffeb827c00) at userfunc.c:2329 #29 0x000055eb1605be39 in get_func_tv (name=name@entry=0x55eb18c7c6a0 "cursorword#matchadd", len=len@entry=-1, rettv=rettv@entry=0x7fffeb827bd0, arg=arg@entry=0x7fffeb827bc0, evalarg=evalarg@entry=0x7fffeb827c40, funcexe=funcexe@entry=0x7fffeb827c00) at userfunc.c:779 #30 0x000055eb1605f548 in ex_call (eap=0x7fffeb827e50) at userfunc.c:4227 #31 0x000055eb15f0bef9 in do_one_cmd (cookie=0x7fffeb828700, fgetline=0x55eb15e9a4f0 <getnextac>, cstack=0x7fffeb828000, flags=7, cmdlinep=0x7fffeb827db0) at ex_docmd.c:2588 #32 do_cmdline (cmdline=cmdline@entry=0x0, fgetline=fgetline@entry=0x55eb15e9a4f0 <getnextac>, cookie=cookie@entry=0x7fffeb828700, flags=flags@entry=7) at ex_docmd.c:1003 #33 0x000055eb15e9ac1e in apply_autocmds_group (event=event@entry=EVENT_WINENTER, fname=0x55eb18e32a10 "", fname@entry=0x0, fname_io=fname_io@entry=0x0, force=<optimized out>, force@entry=0, group=group@entry=-3, buf=0x55eb18c7d460, eap=0x0) at autocmd.c:2111 #34 0x000055eb15e9bce8 in apply_autocmds (event=event@entry=EVENT_WINENTER, fname=fname@entry=0x0, fname_io=fname_io@entry=0x0, force=force@entry=0, buf=<optimized out>) at autocmd.c:1623 #35 0x000055eb16082357 in win_enter_ext (wp=wp@entry=0x55eb18c87410, undo_sync=undo_sync@entry=1, curwin_invalid=curwin_invalid@entry=0, trigger_new_autocmds=trigger_new_autocmds@entry=0, trigger_enter_autocmds=trigger_enter_autocmds@entry=1, trigger_leave_autocmds=trigger_leave_autocmds@entry=1) at window.c:4788 #36 0x000055eb160826e9 in win_enter (undo_sync=1, wp=0x55eb18c87410) at window.c:4677 #37 win_goto (wp=0x55eb18c87410) at window.c:4453 #38 0x000055eb16086acd in do_window (nchar=112, Prenum=<optimized out>, xchar=xchar@entry=0) at window.c:304 #39 0x000055eb15f02e3b in ex_wincmd (eap=0x7fffeb829a70) at ex_docmd.c:7326 #40 0x000055eb15f0bef9 in do_one_cmd (cookie=0x55eb1944f6e0, fgetline=0x55eb16058170 <get_func_line>, cstack=0x7fffeb829c20, flags=7, cmdlinep=0x7fffeb8299d0) at ex_docmd.c:2588 #41 do_cmdline (cmdline=cmdline@entry=0x0, fgetline=fgetline@entry=0x55eb16058170 <get_func_line>, cookie=cookie@entry=0x55eb1944f6e0, flags=flags@entry=7) at ex_docmd.c:1003 #42 0x000055eb1605a03a in call_user_func (fp=fp@entry=0x55eb180742f0, argcount=argcount@entry=2, argvars=argvars@entry=0x7fffeb82a910, rettv=rettv@entry=0x7fffeb82aae0, funcexe=funcexe@entry=0x7fffeb82ab10, selfdict=selfdict@entry=0x0) at userfunc.c:1731 #43 0x000055eb1605acea in call_user_func_check (selfdict=<optimized out>, funcexe=0x7fffeb82ab10, rettv=0x7fffeb82aae0, argvars=0x7fffeb82a910, argcount=2, fp=0x55eb180742f0) at userfunc.c:1871 #44 call_user_func_check (fp=0x55eb180742f0, argcount=2, argvars=0x7fffeb82a910, rettv=0x7fffeb82aae0, funcexe=0x7fffeb82ab10, selfdict=<optimized out>) at userfunc.c:1835 #45 0x000055eb1605b778 in call_func (funcname=funcname@entry=0x55eb18f84b00 "SqSetCursorPosAtPvw", len=len@entry=-1, rettv=rettv@entry=0x7fffeb82aae0, argcount_in=argcount_in@entry=2, argvars_in=argvars_in@entry=0x7fffeb82a910, funcexe=funcexe@entry=0x7fffeb82ab10) at userfunc.c:2329 #46 0x000055eb1605be39 in get_func_tv (name=name@entry=0x55eb18f84b00 "SqSetCursorPosAtPvw", len=len@entry=-1, rettv=rettv@entry=0x7fffeb82aae0, arg=arg@entry=0x7fffeb82aad0, evalarg=evalarg@entry=0x7fffeb82ab50, funcexe=funcexe@entry=0x7fffeb82ab10) at userfunc.c:779 #47 0x000055eb1605f548 in ex_call (eap=0x7fffeb82ad60) at userfunc.c:4227 #48 0x000055eb15f0bef9 in do_one_cmd (cookie=0x7fffeb82b610, fgetline=0x55eb15e9a4f0 <getnextac>, cstack=0x7fffeb82af10, flags=7, cmdlinep=0x7fffeb82acc0) at ex_docmd.c:2588 #49 do_cmdline (cmdline=cmdline@entry=0x0, fgetline=fgetline@entry=0x55eb15e9a4f0 <getnextac>, cookie=cookie@entry=0x7fffeb82b610, flags=flags@entry=7) at ex_docmd.c:1003 #50 0x000055eb15e9ac1e in apply_autocmds_group (event=event@entry=EVENT_CURSORHOLD, fname=0x55eb18c7c0f0 "/home/shane/Downloads/tidb/infoschema/infoschema_test.go", fname@entry=0x0, fname_io=fname_io@entry=0x0, force=<optimized out>, force@entry=0, group=group@entry=-3, buf=0x55eb186c8f50, eap=0x0) at autocmd.c:2111 #51 0x000055eb15e9bce8 in apply_autocmds (event=event@entry=EVENT_CURSORHOLD, fname=fname@entry=0x0, fname_io=fname_io@entry=0x0, force=force@entry=0, buf=<optimized out>) at autocmd.c:1623 #52 0x000055eb15f829ef in nv_cursorhold (cap=0x7fffeb82b740) at normal.c:7550 #53 0x000055eb15f8bdaa in normal_cmd (oap=0x7fffeb82b800, toplevel=1) at normal.c:1098 #54 0x000055eb160bb57a in main_loop (cmdwin=0, noexmode=0) at main.c:1475 #55 0x000055eb160bc633 in vim_main2 () at main.c:865 #56 0x000055eb15e95475 in main (argc=<optimized out>, argv=<optimized out>) at main.c:3242 (gdb)
VIM - Vi IMproved 8.2 (2019 Dec 12, compiled Dec 15 2020 00:46:02)
Included patches: 1-2143
// shane: seems related to highlight. a bit complex to reproduce, just suddenly crashed.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
Shane-XB-Qian
Dec 14, 2020, 1:26:35 PM12/14/20
to vim/vim, Subscribed
it is about E315: ml_get: invalid lnum
looks some bugs were raised, including neovim tried to fix this.
// not sure #6660 if was related, but same e# of E315.
Christian Brabandt
Dec 14, 2020, 4:53:09 PM12/14/20
to vim/vim, Subscribed
so what exactly did you do to trigger the error? It looks like this statement:
get(b:, 'cursorword', get(g:, 'cursorword', 1))
triggered the error, which seem to come from https://github.com/itchyny/vim-cursorword
Perhaps try an ASAN build.
it is about E315: ml_get: invalid lnum
Where does that come into play? I don't see this in your stack trace. Can you reproduce this E315 error?
Shane-XB-Qian
Dec 14, 2020, 11:25:27 PM12/14/20
to vim/vim, Subscribed
-
i do not believe myself can reproduce original case, it just suddenly happened.
-
after that, it seems related to 'swp' file and/or buf switch ':b #' but when it was a term buf.. not sure..
=================================================================
==6888==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130002277c4 at pc 0x5641dbb45e1a bp 0x7fffab1c5980 sp 0x7fffab1c5970
READ of size 4 at 0x6130002277c4 thread T0
#0 0x5641dbb45e19 (/usr/local/bin/vim+0x6b3e19)
#1 0x5641db6f8cf3 (/usr/local/bin/vim+0x266cf3)
#2 0x5641db6b2b83 (/usr/local/bin/vim+0x220b83)
#3 0x5641db6b10d1 (/usr/local/bin/vim+0x21f0d1)
#4 0x5641db6afcb1 (/usr/local/bin/vim+0x21dcb1)
#5 0x5641db6aefcc (/usr/local/bin/vim+0x21cfcc)
#6 0x5641db6ae40d (/usr/local/bin/vim+0x21c40d)
#7 0x5641db6ad8c4 (/usr/local/bin/vim+0x21b8c4)
#8 0x5641db6ac825 (/usr/local/bin/vim+0x21a825)
#9 0x5641dbb6e0cd (/usr/local/bin/vim+0x6dc0cd)
#10 0x5641db6ab584 (/usr/local/bin/vim+0x219584)
#11 0x5641db6b299d (/usr/local/bin/vim+0x22099d)
#12 0x5641db6b10d1 (/usr/local/bin/vim+0x21f0d1)
#13 0x5641db6afcb1 (/usr/local/bin/vim+0x21dcb1)
#14 0x5641db6aefcc (/usr/local/bin/vim+0x21cfcc)
#15 0x5641db6ae40d (/usr/local/bin/vim+0x21c40d)
#16 0x5641db6ad8c4 (/usr/local/bin/vim+0x21b8c4)
#17 0x5641db6ac825 (/usr/local/bin/vim+0x21a825)
#18 0x5641db6ac392 (/usr/local/bin/vim+0x21a392)
#19 0x5641db6f04b1 (/usr/local/bin/vim+0x25e4b1)
#20 0x5641db72ef14 (/usr/local/bin/vim+0x29cf14)
#21 0x5641db725fc9 (/usr/local/bin/vim+0x293fc9)
#22 0x5641dbb737f0 (/usr/local/bin/vim+0x6e17f0)
#23 0x5641dbb74b95 (/usr/local/bin/vim+0x6e2b95)
#24 0x5641dbb76910 (/usr/local/bin/vim+0x6e4910)
#25 0x5641dbb6e650 (/usr/local/bin/vim+0x6dc650)
#26 0x5641dbb842c3 (/usr/local/bin/vim+0x6f22c3)
#27 0x5641db72ef14 (/usr/local/bin/vim+0x29cf14)
#28 0x5641db725fc9 (/usr/local/bin/vim+0x293fc9)
#29 0x5641db5c959c (/usr/local/bin/vim+0x13759c)
#30 0x5641db5c7e10 (/usr/local/bin/vim+0x135e10)
#31 0x5641dbc04379 (/usr/local/bin/vim+0x772379)
#32 0x5641dbc039f7 (/usr/local/bin/vim+0x7719f7)
#33 0x5641dbc02b6d (/usr/local/bin/vim+0x770b6d)
#34 0x5641dbbeeb03 (/usr/local/bin/vim+0x75cb03)
#35 0x5641db74a26d (/usr/local/bin/vim+0x2b826d)
#36 0x5641db72ef14 (/usr/local/bin/vim+0x29cf14)
#37 0x5641db725fc9 (/usr/local/bin/vim+0x293fc9)
#38 0x5641dbb737f0 (/usr/local/bin/vim+0x6e17f0)
#39 0x5641dbb74b95 (/usr/local/bin/vim+0x6e2b95)
#40 0x5641dbb76910 (/usr/local/bin/vim+0x6e4910)
#41 0x5641dbb6e650 (/usr/local/bin/vim+0x6dc650)
#42 0x5641dbb842c3 (/usr/local/bin/vim+0x6f22c3)
#43 0x5641db72ef14 (/usr/local/bin/vim+0x29cf14)
#44 0x5641db725fc9 (/usr/local/bin/vim+0x293fc9)
#45 0x5641db5c959c (/usr/local/bin/vim+0x13759c)
#46 0x5641db5c7e10 (/usr/local/bin/vim+0x135e10)
#47 0x5641db8eacbb (/usr/local/bin/vim+0x458cbb)
#48 0x5641db8c0f23 (/usr/local/bin/vim+0x42ef23)
#49 0x5641dbcb66b4 (/usr/local/bin/vim+0x8246b4)
#50 0x5641dbcb5308 (/usr/local/bin/vim+0x823308)
#51 0x5641dbcb4995 (/usr/local/bin/vim+0x822995)
#52 0x7f51c188f0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#53 0x5641db5b80cd (/usr/local/bin/vim+0x1260cd)
0x6130002277c4 is located 4 bytes inside of 344-byte region [0x6130002277c0,0x613000227918)
freed by thread T0 here:
#0 0x7f51c26367cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
#1 0x5641db88ddb5 (/usr/local/bin/vim+0x3fbdb5)
#2 0x5641db643aaa (/usr/local/bin/vim+0x1b1aaa)
#3 0x5641db643b19 (/usr/local/bin/vim+0x1b1b19)
#4 0x5641db643b96 (/usr/local/bin/vim+0x1b1b96)
#5 0x5641db6fa572 (/usr/local/bin/vim+0x268572)
#6 0x5641db5d27d8 (/usr/local/bin/vim+0x1407d8)
#7 0x5641db5d1a96 (/usr/local/bin/vim+0x13fa96)
#8 0x5641db5d6520 (/usr/local/bin/vim+0x144520)
#9 0x5641db5d5e50 (/usr/local/bin/vim+0x143e50)
#10 0x5641db5d3058 (/usr/local/bin/vim+0x141058)
#11 0x5641db73f968 (/usr/local/bin/vim+0x2ad968)
#12 0x5641db72ef14 (/usr/local/bin/vim+0x29cf14)
#13 0x5641db725fc9 (/usr/local/bin/vim+0x293fc9)
#14 0x5641db6bf733 (/usr/local/bin/vim+0x22d733)
#15 0x5641db72ef14 (/usr/local/bin/vim+0x29cf14)
#16 0x5641db725fc9 (/usr/local/bin/vim+0x293fc9)
#17 0x5641dbb737f0 (/usr/local/bin/vim+0x6e17f0)
#18 0x5641dbb74b95 (/usr/local/bin/vim+0x6e2b95)
#19 0x5641dbb76910 (/usr/local/bin/vim+0x6e4910)
#20 0x5641dbb6e650 (/usr/local/bin/vim+0x6dc650)
#21 0x5641dbb842c3 (/usr/local/bin/vim+0x6f22c3)
#22 0x5641db72ef14 (/usr/local/bin/vim+0x29cf14)
#23 0x5641db725fc9 (/usr/local/bin/vim+0x293fc9)
#24 0x5641db5c959c (/usr/local/bin/vim+0x13759c)
#25 0x5641db5c7e10 (/usr/local/bin/vim+0x135e10)
#26 0x5641db8eacbb (/usr/local/bin/vim+0x458cbb)
#27 0x5641db8c0f23 (/usr/local/bin/vim+0x42ef23)
#28 0x5641dbcb66b4 (/usr/local/bin/vim+0x8246b4)
#29 0x5641dbcb5308 (/usr/local/bin/vim+0x823308)
previously allocated by thread T0 here:
#0 0x7f51c2636bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x5641db88ba5a (/usr/local/bin/vim+0x3f9a5a)
#2 0x5641db88b8e8 (/usr/local/bin/vim+0x3f98e8)
#3 0x5641db6433e9 (/usr/local/bin/vim+0x1b13e9)
#4 0x5641db5d7e5e (/usr/local/bin/vim+0x145e5e)
#5 0x5641db710fca (/usr/local/bin/vim+0x27efca)
#6 0x5641db746a44 (/usr/local/bin/vim+0x2b4a44)
#7 0x5641db74471a (/usr/local/bin/vim+0x2b271a)
#8 0x5641db72ef14 (/usr/local/bin/vim+0x29cf14)
#9 0x5641db725fc9 (/usr/local/bin/vim+0x293fc9)
#10 0x5641db6bf733 (/usr/local/bin/vim+0x22d733)
#11 0x5641db72ef14 (/usr/local/bin/vim+0x29cf14)
#12 0x5641db725fc9 (/usr/local/bin/vim+0x293fc9)
#13 0x5641dbb737f0 (/usr/local/bin/vim+0x6e17f0)
#14 0x5641dbb74b95 (/usr/local/bin/vim+0x6e2b95)
#15 0x5641dbb76910 (/usr/local/bin/vim+0x6e4910)
#16 0x5641dbb6e650 (/usr/local/bin/vim+0x6dc650)
#17 0x5641dbb842c3 (/usr/local/bin/vim+0x6f22c3)
#18 0x5641db72ef14 (/usr/local/bin/vim+0x29cf14)
#19 0x5641db725fc9 (/usr/local/bin/vim+0x293fc9)
#20 0x5641dbb737f0 (/usr/local/bin/vim+0x6e17f0)
#21 0x5641dbb74b95 (/usr/local/bin/vim+0x6e2b95)
#22 0x5641dbb76910 (/usr/local/bin/vim+0x6e4910)
#23 0x5641dbb6e650 (/usr/local/bin/vim+0x6dc650)
#24 0x5641dbb842c3 (/usr/local/bin/vim+0x6f22c3)
#25 0x5641db72ef14 (/usr/local/bin/vim+0x29cf14)
#26 0x5641db725fc9 (/usr/local/bin/vim+0x293fc9)
#27 0x5641dbb737f0 (/usr/local/bin/vim+0x6e17f0)
#28 0x5641dbb74b95 (/usr/local/bin/vim+0x6e2b95)
#29 0x5641dbb76910 (/usr/local/bin/vim+0x6e4910)
SUMMARY: AddressSanitizer: heap-use-after-free (/usr/local/bin/vim+0x6b3e19)
Shadow bytes around the buggy address:
0x0c268003cea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c268003ceb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c268003cec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c268003ced0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c268003cee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c268003cef0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
0x0c268003cf00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c268003cf10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c268003cf20: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c268003cf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c268003cf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==6888==ABORTING
- asan looks did not give useful info.
Vim: Warning: Output is not to a terminal
=================================================================
==9242==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 1 byte(s) in 1 object(s) allocated from:
#0 0x7f2790902bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x55a3bcdeca5a (/usr/local/bin/vim+0x3f9a5a)
#2 0x55a3bcdec843 (/usr/local/bin/vim+0x3f9843)
#3 0x55a3bd0ab172 (/usr/local/bin/vim+0x6b8172)
#4 0x55a3bcc131c6 (/usr/local/bin/vim+0x2201c6)
#5 0x55a3bcc120d1 (/usr/local/bin/vim+0x21f0d1)
#6 0x55a3bcc10cb1 (/usr/local/bin/vim+0x21dcb1)
#7 0x55a3bcc0ffcc (/usr/local/bin/vim+0x21cfcc)
#8 0x55a3bcc0f40d (/usr/local/bin/vim+0x21c40d)
#9 0x55a3bcc0e8c4 (/usr/local/bin/vim+0x21b8c4)
#10 0x55a3bcc0d825 (/usr/local/bin/vim+0x21a825)
#11 0x55a3bd0d379b (/usr/local/bin/vim+0x6e079b)
#12 0x55a3bd0d5b95 (/usr/local/bin/vim+0x6e2b95)
#13 0x55a3bd0d7910 (/usr/local/bin/vim+0x6e4910)
#14 0x55a3bd0cf650 (/usr/local/bin/vim+0x6dc650)
#15 0x55a3bd0e52c3 (/usr/local/bin/vim+0x6f22c3)
#16 0x55a3bcc8ff14 (/usr/local/bin/vim+0x29cf14)
#17 0x55a3bcc86fc9 (/usr/local/bin/vim+0x293fc9)
#18 0x55a3bd0d47f0 (/usr/local/bin/vim+0x6e17f0)
#19 0x55a3bd0d5b95 (/usr/local/bin/vim+0x6e2b95)
#20 0x55a3bd0d7910 (/usr/local/bin/vim+0x6e4910)
#21 0x55a3bd0cf650 (/usr/local/bin/vim+0x6dc650)
#22 0x55a3bd0e52c3 (/usr/local/bin/vim+0x6f22c3)
#23 0x55a3bcc8ff14 (/usr/local/bin/vim+0x29cf14)
#24 0x55a3bcc86fc9 (/usr/local/bin/vim+0x293fc9)
#25 0x55a3bcb2a59c (/usr/local/bin/vim+0x13759c)
#26 0x55a3bcb28e10 (/usr/local/bin/vim+0x135e10)
#27 0x55a3bce4bcbb (/usr/local/bin/vim+0x458cbb)
#28 0x55a3bce21f23 (/usr/local/bin/vim+0x42ef23)
#29 0x55a3bd2176b4 (/usr/local/bin/vim+0x8246b4)
SUMMARY: AddressSanitizer: 1 byte(s) leaked in 1 allocation(s).
- but by accident, i redirect vim to stdout, there is a ml... 🤣
Dominique Pellé
Dec 15, 2020, 1:16:15 AM12/15/20
to vim/vim, Subscribed
@Shane-XB-Qian wrote:
asan looks did not give useful info.
No, asan detects that there is a heap-use-after-free bug which is useful to know.
However the stack that it dumps are missing symbols, so we don't see function
names nor line numbers, making the stacks useless.
Either vim was striped of symbols (1), or asan does not show symbols (2).
(1) To avoid striping Vim, uncomment the line STRIP = /bin/true in vim/src/Makefile and rebuild vim.
(2) if you used clang instead of gcc, asan may not show symbols by default.
See https://clang.llvm.org/docs/AddressSanitizer.html#symbolizing-the-reports to show symbols. Alternatively, build with gcc instead of clang (gcc asan will show symbols without any additional settings unlike clang asan).
Shane-XB-Qian
Dec 15, 2020, 1:42:12 AM12/15/20
to vim/vim, Subscribed
================================================================
==23529==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 491808 byte(s) in 156 object(s) allocated from:
#0 0x7f45767e1bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x7f4575e82847 (/lib/x86_64-linux-gnu/libpython3.8.so.1.0+0x25a847)
Direct leak of 536 byte(s) in 1 object(s) allocated from:
#0 0x7f45767e1bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x7f4575e81fe2 (/lib/x86_64-linux-gnu/libpython3.8.so.1.0+0x259fe2)
Direct leak of 96 byte(s) in 3 object(s) allocated from:
#0 0x7f45767e1bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x7f4575da5829 in PyThread_allocate_lock (/lib/x86_64-linux-gnu/libpython3.8.so.1.0+0x17d829)
Direct leak of 1 byte(s) in 1 object(s) allocated from:
#0 0x7f45767e1bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x563e3b803a5a (/usr/local/bin/vim+0x3f9a5a)
#2 0x563e3b803843 (/usr/local/bin/vim+0x3f9843)
#3 0x563e3bac2172 (/usr/local/bin/vim+0x6b8172)
#4 0x563e3b62a1c6 (/usr/local/bin/vim+0x2201c6)
#5 0x563e3b6290d1 (/usr/local/bin/vim+0x21f0d1)
#6 0x563e3b627cb1 (/usr/local/bin/vim+0x21dcb1)
#7 0x563e3b626fcc (/usr/local/bin/vim+0x21cfcc)
#8 0x563e3b62640d (/usr/local/bin/vim+0x21c40d)
#9 0x563e3b6258c4 (/usr/local/bin/vim+0x21b8c4)
#10 0x563e3b624825 (/usr/local/bin/vim+0x21a825)
#11 0x563e3baea79b (/usr/local/bin/vim+0x6e079b)
#12 0x563e3baecb95 (/usr/local/bin/vim+0x6e2b95)
#13 0x563e3baee910 (/usr/local/bin/vim+0x6e4910)
#14 0x563e3bae6650 (/usr/local/bin/vim+0x6dc650)
#15 0x563e3bafc2c3 (/usr/local/bin/vim+0x6f22c3)
#16 0x563e3b6a6f14 (/usr/local/bin/vim+0x29cf14)
#17 0x563e3b69dfc9 (/usr/local/bin/vim+0x293fc9)
#18 0x563e3baeb7f0 (/usr/local/bin/vim+0x6e17f0)
#19 0x563e3baecb95 (/usr/local/bin/vim+0x6e2b95)
#20 0x563e3baee910 (/usr/local/bin/vim+0x6e4910)
#21 0x563e3bae6650 (/usr/local/bin/vim+0x6dc650)
#22 0x563e3bafc2c3 (/usr/local/bin/vim+0x6f22c3)
#23 0x563e3b6a6f14 (/usr/local/bin/vim+0x29cf14)
#24 0x563e3b69dfc9 (/usr/local/bin/vim+0x293fc9)
#25 0x563e3b54159c (/usr/local/bin/vim+0x13759c)
#26 0x563e3b53fe10 (/usr/local/bin/vim+0x135e10)
#27 0x563e3b862cbb (/usr/local/bin/vim+0x458cbb)
#28 0x563e3b838f23 (/usr/local/bin/vim+0x42ef23)
#29 0x563e3bc2e6b4 (/usr/local/bin/vim+0x8246b4)
Indirect leak of 75619 byte(s) in 79 object(s) allocated from:
#0 0x7f45767e1bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x7f4575e82847 (/lib/x86_64-linux-gnu/libpython3.8.so.1.0+0x25a847)
SUMMARY: AddressSanitizer: 568060 byte(s) leaked in 240 allocation(s).
- and this one.
// but just suddenly happened, not much related to my 1st 'bt', mostly i can not solid reproduce it..
Shane-XB-Qian
Dec 15, 2020, 2:08:52 AM12/15/20
to vim/vim, Subscribed
=================================================================
==39207==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130001abe44 at pc 0x5578e49ece1a bp 0x7ffe9bcab570 sp 0x7ffe9bcab560
READ of size 4 at 0x6130001abe44 thread T0
#0 0x5578e49ece19 in copy_tv /home/shane/foo/vim/src/typval.c:634
#1 0x5578e459fcf3 in eval_variable /home/shane/foo/vim/src/evalvars.c:2572
#2 0x5578e4559b83 in eval7 /home/shane/foo/vim/src/eval.c:3372
#3 0x5578e45580d1 in eval6 /home/shane/foo/vim/src/eval.c:2990
#4 0x5578e4556cb1 in eval5 /home/shane/foo/vim/src/eval.c:2760
#5 0x5578e4555fcc in eval4 /home/shane/foo/vim/src/eval.c:2616
#6 0x5578e455540d in eval3 /home/shane/foo/vim/src/eval.c:2477
#7 0x5578e45548c4 in eval2 /home/shane/foo/vim/src/eval.c:2351
#8 0x5578e4553825 in eval1 /home/shane/foo/vim/src/eval.c:2197
#9 0x5578e4a150cd in get_func_tv /home/shane/foo/vim/src/userfunc.c:729
#10 0x5578e4552584 in eval_func /home/shane/foo/vim/src/eval.c:1956
#11 0x5578e455999d in eval7 /home/shane/foo/vim/src/eval.c:3351
#12 0x5578e45580d1 in eval6 /home/shane/foo/vim/src/eval.c:2990
#13 0x5578e4556cb1 in eval5 /home/shane/foo/vim/src/eval.c:2760
#14 0x5578e4555fcc in eval4 /home/shane/foo/vim/src/eval.c:2616
#15 0x5578e455540d in eval3 /home/shane/foo/vim/src/eval.c:2477
#16 0x5578e45548c4 in eval2 /home/shane/foo/vim/src/eval.c:2351
#17 0x5578e4553825 in eval1 /home/shane/foo/vim/src/eval.c:2197
#18 0x5578e4553392 in eval0 /home/shane/foo/vim/src/eval.c:2141
#19 0x5578e45974b1 in ex_let /home/shane/foo/vim/src/evalvars.c:878
#20 0x5578e45d5f14 in do_one_cmd /home/shane/foo/vim/src/ex_docmd.c:2588
#21 0x5578e45ccfc9 in do_cmdline /home/shane/foo/vim/src/ex_docmd.c:1003
#22 0x5578e4a1a7f0 in call_user_func /home/shane/foo/vim/src/userfunc.c:1731
#23 0x5578e4a1bb95 in call_user_func_check /home/shane/foo/vim/src/userfunc.c:1871
#24 0x5578e4a1d910 in call_func /home/shane/foo/vim/src/userfunc.c:2329
#25 0x5578e4a15650 in get_func_tv /home/shane/foo/vim/src/userfunc.c:779
#26 0x5578e4a2b2c3 in ex_call /home/shane/foo/vim/src/userfunc.c:4227
#27 0x5578e45d5f14 in do_one_cmd /home/shane/foo/vim/src/ex_docmd.c:2588
#28 0x5578e45ccfc9 in do_cmdline /home/shane/foo/vim/src/ex_docmd.c:1003
#29 0x5578e447059c in apply_autocmds_group /home/shane/foo/vim/src/autocmd.c:2111
#30 0x5578e446ee10 in apply_autocmds /home/shane/foo/vim/src/autocmd.c:1623
#31 0x5578e4aab379 in win_enter_ext /home/shane/foo/vim/src/window.c:4788
#32 0x5578e4aaa9f7 in win_enter /home/shane/foo/vim/src/window.c:4677
#33 0x5578e4aa9b6d in win_goto /home/shane/foo/vim/src/window.c:4453
#34 0x5578e4a95b03 in do_window /home/shane/foo/vim/src/window.c:385
#35 0x5578e45f126d in ex_wincmd /home/shane/foo/vim/src/ex_docmd.c:7326
#36 0x5578e45d5f14 in do_one_cmd /home/shane/foo/vim/src/ex_docmd.c:2588
#37 0x5578e45ccfc9 in do_cmdline /home/shane/foo/vim/src/ex_docmd.c:1003
#38 0x5578e4a1a7f0 in call_user_func /home/shane/foo/vim/src/userfunc.c:1731
#39 0x5578e4a1bb95 in call_user_func_check /home/shane/foo/vim/src/userfunc.c:1871
#40 0x5578e4a1d910 in call_func /home/shane/foo/vim/src/userfunc.c:2329
#41 0x5578e4a15650 in get_func_tv /home/shane/foo/vim/src/userfunc.c:779
#42 0x5578e4a2b2c3 in ex_call /home/shane/foo/vim/src/userfunc.c:4227
#43 0x5578e45d5f14 in do_one_cmd /home/shane/foo/vim/src/ex_docmd.c:2588
#44 0x5578e45ccfc9 in do_cmdline /home/shane/foo/vim/src/ex_docmd.c:1003
#45 0x5578e447059c in apply_autocmds_group /home/shane/foo/vim/src/autocmd.c:2111
#46 0x5578e446ee10 in apply_autocmds /home/shane/foo/vim/src/autocmd.c:1623
#47 0x5578e4791cbb in nv_cursorhold /home/shane/foo/vim/src/normal.c:7550
#48 0x5578e4767f23 in normal_cmd /home/shane/foo/vim/src/normal.c:1098
#49 0x5578e4b5d6b4 in main_loop /home/shane/foo/vim/src/main.c:1475
#50 0x5578e4b5c308 in vim_main2 /home/shane/foo/vim/src/main.c:865
#51 0x5578e4b5b995 in main /home/shane/foo/vim/src/main.c:412
#52 0x7f2cec3ca0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#53 0x5578e445f0cd in _start (/usr/local/bin/vim+0x1260cd)
0x6130001abe44 /home/shane/foo/vim/src/misc2.c:1807
foo/ #2 0x5578eb19 #4 0x5578e44eab96foo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/fffffffffffffffffffffffff #5 0x557foo/e45a1572 #6 0x5578e44797d8 #7 0x5578e4478a96 #8 0x5578e447d520 #9 0x5578e447ce50 #10 0x5578e447a058 #11 0x5578e45e6968 #12 0x5578e45d5f14 #13 0x5578e45ccfc9 #14 0x5578e4566733 #15 0x5578e45d5f14 #16 0x5578e45ccfc9 #17 0x5578e4a1a7f0 #18 0x5578e4a1bb95 #19 0x5578e4a1d910 #20 0x5578e4a15650 #21 0x5578e4a2b2c3 #22 0x5578e45d5f14 #23 0x5578e45ccfc9 #24 0x5578e447059c #25 0x5578e446ee10 #26 0x5578e4791cbb #27 0x5578e4767f23 #28 0x5578e4b5d6b4 #29 0x5578e4b5c308
previously allocated by thread T0 here:
#0 0x7f2ced171bc8 #2 0x5578e473foo/28e8 #3 0x5578e44ea3e9 #4 0x5578e447ee5e #5 0x5578e45b7fca #6 045eo//o//o//o//o//o//dffffffa44 #7 0x5578e45eb71a #8 0x5578e45d5f14 in do_one_cmd /home/shane/foo/vim/src/ex_docmd.c:2588
foo/ #9 0x5578e45ccfc9 in do_cmdline /home/shane/foo/vim/src/ex_docmd.c:1003
#10 0x5578e4566733 in ex_execute /home/shane/foo/vim/src/eval.c:5942
#11 0x5578e45d5f14 in do_one_cmd /home/shane/foo/vim/src/ex_docmd.c:2588
#12 0x5578e45ccfc9 in do_cmdline /home/shane/foo/vim/src/ex_docmd.c:1003
#13 0x5578e4a1a7f0 in call_user_func /home/shane/foo/vim/src/userfunc.c:1731
#14 0x5578e4a1bb95 in call_user_func_check /home/shane/foo/vim/src/userfunc.c:1871
#15 0x5578e4a1d910 in call_func /home/shane/foo/vim/src/userfunc.c:2329
#16 0x5578e4a15650 in get_func_tv /home/shane/foo/vim/src/userfunc.c:779
#17 0x5578e4a2b2c3 in ex_call /home/shane/foo/vim/src/userfunc.c:4227
#18 0x5578e45d5f14 in do_one_cmd /home/shane/foo/vim/src/ex_docmd.c:2588
#19 0x5578e45ccfc9 in do_cmdline /home/shane/foo/vim/src/ex_docmd.c:1003
#20 0x5578e4a1a7f0 in call_user_func /home/shane/foo/vim/src/userfunc.c:1731
#21 0x5578e4a1bb95 in call_user_func_check /home/shane/foo/vim/src/userfunc.c:1871
#22 0x5578e4a1d910 in call_func /home/shane/foo/vim/src/userfunc.c:2329
#23 0x5578e4a15650 in get_func_tv /home/shane/foo/vim/src/userfunc.c:779
#24 0x5578e4a2b2c3 in ex_call /home/shane/foo/vim/src/userfunc.c:4227
#25 0x5578e45d5f14 in do_one_cmd /home/shane/foo/vim/src/ex_docmd.c:2588
#26 0x5578e45ccfc9 in do_cmdline /home/shane/foo/vim/src/ex_docmd.c:1003
#27 0x5578e4a1a7f0 in call_user_func /home/shane/foo/vim/src/userfunc.c:1731
#28 0x5578e4a1bb95 in call_user_func_check /home/shane/foo/vim/src/userfunc.c:1871
#29 0x5578e4a1d910 in call_func /home/shane/foo/vim/src/userfunc.c:2329
SUMMARY: AddressSanitizer: heap-use-after-free /home/shane/foo/vim/src/typval.c:634 in copy_tv
Shadow bytes around the buggy address:
0x0c268002d770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c268002d780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c268002d790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c268002d7a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c268002d7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c268002d7c0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
0x0c268002d7d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c268002d7e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c268002d7f0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c268002d800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c268002d810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==39207==ABORTING
- try this.. but perhaps was not direct same case.. or who knows.. :)
Shane-XB-Qian
Dec 15, 2020, 2:18:35 AM12/15/20
to vim/vim, Subscribed
=================================================================
==41357==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 499948 byte(s) in 159 object(s) allocated from:
#0 0x7f2d6cacdbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x7f2d6c16e847 (/lib/x86_64-linux-gnu/libpython3.8.so.1.0+0x25a847)
Direct leak of 536 byte(s) in 1 object(s) allocated from:
#0 0x7f2d6cacdbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x7f2d6c16dfe2 (/lib/x86_64-linux-gnu/libpython3.8.so.1.0+0x259fe2)
Direct leak of 79 byte(s) in 79 object(s) allocated from:
#0 0x7f2d6cacdbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x55599437da5a in lalloc /home/shane/foo/vim/src/misc2.c:925
#2 0x55599437d843 in alloc /home/shane/foo/vim/src/misc2.c:828
#3 0x55599463c172 in eval_string /home/shane/foo/vim/src/typval.c:1304
#4 0x5559941a41c6 in eval7 /home/shane/foo/vim/src/eval.c:3245
#5 0x5559941a30d1 in eval6 /home/shane/foo/vim/src/eval.c:2990
#6 0x5559941a1cb1 in eval5 /home/shane/foo/vim/src/eval.c:2760
#7 0x5559941a0fcc in eval4 /home/shane/foo/vim/src/eval.c:2616
#8 0x5559941a040d in eval3 /home/shane/foo/vim/src/eval.c:2477
#9 0x55599419f8c4 in eval2 /home/shane/foo/vim/src/eval.c:2351
#10 0x55599419e825 in eval1 /home/shane/foo/vim/src/eval.c:2197
#11 0x55599466479b in call_user_func /home/shane/foo/vim/src/userfunc.c:1581
#12 0x555994666b95 in call_user_func_check /home/shane/foo/vim/src/userfunc.c:1871
#13 0x555994668910 in call_func /home/shane/foo/vim/src/userfunc.c:2329
#14 0x555994660650 in get_func_tv /home/shane/foo/vim/src/userfunc.c:779
#15 0x5559946762c3 in ex_call /home/shane/foo/vim/src/userfunc.c:4227
#16 0x555994220f14 in do_one_cmd /home/shane/foo/vim/src/ex_docmd.c:2588
#17 0x555994217fc9 in do_cmdline /home/shane/foo/vim/src/ex_docmd.c:1003
#18 0x5559946657f0 in call_user_func /home/shane/foo/vim/src/userfunc.c:1731
#19 0x555994666b95 in call_user_func_check /home/shane/foo/vim/src/userfunc.c:1871
#20 0x555994668910 in call_func /home/shane/foo/vim/src/userfunc.c:2329
#21 0x555994660650 in get_func_tv /home/shane/foo/vim/src/userfunc.c:779
#22 0x5559946762c3 in ex_call /home/shane/foo/vim/src/userfunc.c:4227
#23 0x555994220f14 in do_one_cmd /home/shane/foo/vim/src/ex_docmd.c:2588
#24 0x555994217fc9 in do_cmdline /home/shane/foo/vim/src/ex_docmd.c:1003
#25 0x5559940bb59c in apply_autocmds_group /home/shane/foo/vim/src/autocmd.c:2111
#26 0x5559940b9e10 in apply_autocmds /home/shane/foo/vim/src/autocmd.c:1623
#27 0x5559943dccbb in nv_cursorhold /home/shane/foo/vim/src/normal.c:7550
#28 0x5559943b2f23 in normal_cmd /home/shane/foo/vim/src/normal.c:1098
#29 0x5559947a86b4 in main_loop /home/shane/foo/vim/src/main.c:1475
Indirect leak of 102353 byte(s) in 103 object(s) allocated from:
#0 0x7f2d6cacdbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x7f2d6c16e847 (/lib/x86_64-linux-gnu/libpython3.8.so.1.0+0x25a847)
SUMMARY: AddressSanitizer: 602916 byte(s) leaked in 342 allocation(s).
- and this.. looks at least there are 2 ml cases..
Dominique Pellé
Dec 15, 2020, 2:55:44 AM12/15/20
to vim/vim, Subscribed
Regarding the use-after-free found by asan, the stack is unfortunately corrupted.
I would expect to see the stack where memory is freed, but instead we see something garbled like:
foo/ #2 0x5578eb19 #4 0x5578e44eab96foo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/oo/fffffffffffffffffffffffff #5 0x557foo/e45a1572 #6 0x5578e44797d8 #7 0x5578e4478a96 #8 0x5578e447d520 #9 0x5578e447ce50 #10 0x5578e447a058 #11 0x5578e45e6968 #12 0x5578e45d5f14 #13 0x5578e45ccfc9 #14 0x5578e4566733 #15 0x5578e45d5f14 #16 0x5578e45ccfc9 #17 0x5578e4a1a7f0 #18 0x5578e4a1bb95 #19 0x5578e4a1d910 #20 0x5578e4a15650 #21 0x5578e4a2b2c3 #22 0x5578e45d5f14 #23 0x5578e45ccfc9 #24 0x5578e447059c #25 0x5578e446ee10 #26 0x5578e4791cbb #27 0x5578e4767f23 #28 0x5578e4b5d6b4 #29 0x5578e4b5c308
previously allocated by thread T0 here:
#0 0x7f2ced171bc8 #2 0x5578e473foo/28e8 #3 0x5578e44ea3e9 #4 0x5578e447ee5e #5 0x5578e45b7fca #6 045eo//o//o//o//o//o//dffffffa44 #7 0x5578e45eb71a #8 0x5578e45d5f14 in do_one_cmd /home/shane/foo/vim/src/ex_docmd.c:2588
Did you perhaps redirect both stderr and stdout? Try redirecting stderr only i.e.
$ cd vim/src
$ ./vim 2> asan.log
(and reproduce the issue)
If this still does not give a good stack, try using valgrind instead. To use valgrind, you'll need to build vim without asan, as valgrind won't work with asan. You can then run:
$ cd vim/src
$ valgrind --num-callers=50 ./vim 2> valgrind.log
(and reproduce this issue)
Shane-XB-Qian
Dec 15, 2020, 3:28:59 AM12/15/20
to vim/vim, Subscribed
i would try, but mostly i can not reproduce those anymore, those just are remained log..
// pls try to mock/think if there were any possibilities to make those happen.. or let it be for now..
Shane-XB-Qian
Dec 22, 2020, 10:30:31 AM12/22/20
to vim/vim, Subscribed
==51885== Memcheck, a memory error detector
==51885== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==51885== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==51885== Command: ./vim
==51885==
==51885== Invalid read of size 4
==51885== at 0x2F64C1: copy_tv (typval.c:634)
==51885== by 0x19D5E5: eval_variable (evalvars.c:2583)
==51885== by 0x187FD3: eval7 (eval.c:3395)
==51885== by 0x188843: eval6 (eval.c:3013)
==51885== by 0x188843: eval5 (eval.c:2783)
==51885== by 0x188E4B: eval4 (eval.c:2639)
==51885== by 0x1894EC: eval3 (eval.c:2500)
==51885== by 0x1894EC: eval2 (eval.c:2374)
==51885== by 0x1894EC: eval1 (eval.c:2220)
==51885== by 0x3050F0: get_func_tv (userfunc.c:729)
==51885== by 0x1834A5: eval_func (eval.c:1979)
==51885== by 0x1882DC: eval7 (eval.c:3374)
==51885== by 0x188843: eval6 (eval.c:3013)
==51885== by 0x188843: eval5 (eval.c:2783)
==51885== by 0x188E4B: eval4 (eval.c:2639)
==51885== by 0x1894EC: eval3 (eval.c:2500)
==51885== by 0x1894EC: eval2 (eval.c:2374)
==51885== by 0x1894EC: eval1 (eval.c:2220)
==51885== Address 0x6ca55c4 is 4 bytes inside a block of size 344 free'd
==51885== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==51885== by 0x1477A3: free_buffer (buffer.c:903)
==51885== by 0x14E85B: set_curbuf (buffer.c:1744)
==51885== by 0x14EA69: do_buffer (buffer.c:1670)
==51885== by 0x14F222: goto_buffer (buffer.c:1060)
==51885== by 0x1B8B4C: ex_buffer (ex_docmd.c:5045)
==51885== by 0x1B5138: do_one_cmd (ex_docmd.c:2588)
==51885== by 0x1B5138: do_cmdline (ex_docmd.c:1003)
==51885== by 0x18C79B: ex_execute (eval.c:5965)
==51885== by 0x1B5138: do_one_cmd (ex_docmd.c:2588)
==51885== by 0x1B5138: do_cmdline (ex_docmd.c:1003)
==51885== by 0x303519: call_user_func (userfunc.c:1736)
==51885== by 0x30424C: call_user_func_check (userfunc.c:1890)
==51885== by 0x30424C: call_user_func_check (userfunc.c:1856)
==51885== by 0x304CB7: call_func (userfunc.c:2348)
==51885== Block was alloc'd at
==51885== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==51885== by 0x21F539: lalloc (misc2.c:925)
==51885== by 0x21FF22: alloc_clear (misc2.c:852)
==51885== by 0x167DBF: dict_alloc (dict.c:32)
==51885== by 0x1496DA: buflist_new (buffer.c:2057)
==51885== by 0x1A4D5C: do_ecmd (ex_cmds.c:2671)
==51885== by 0x1B8F0A: do_exedit (ex_docmd.c:6643)
==51885== by 0x1B9460: ex_splitview (ex_docmd.c:6292)
==51885== by 0x1B5138: do_one_cmd (ex_docmd.c:2588)
==51885== by 0x1B5138: do_cmdline (ex_docmd.c:1003)
==51885== by 0x18C79B: ex_execute (eval.c:5965)
==51885== by 0x1B5138: do_one_cmd (ex_docmd.c:2588)
==51885== by 0x1B5138: do_cmdline (ex_docmd.c:1003)
==51885== by 0x303519: call_user_func (userfunc.c:1736)
==51885==
==51885== Invalid read of size 8
==51885== at 0x1E4F54: hash_lookup (hashtab.c:144)
==51885== by 0x1687E5: dict_find (dict.c:618)
==51885== by 0x1954BD: f_get (evalfunc.c:3706)
==51885== by 0x197183: call_internal_func (evalfunc.c:1958)
==51885== by 0x30501F: call_func (userfunc.c:2366)
==51885== by 0x305378: get_func_tv (userfunc.c:779)
==51885== by 0x1834A5: eval_func (eval.c:1979)
==51885== by 0x1882DC: eval7 (eval.c:3374)
==51885== by 0x188843: eval6 (eval.c:3013)
==51885== by 0x188843: eval5 (eval.c:2783)
==51885== by 0x188E4B: eval4 (eval.c:2639)
==51885== by 0x1894EC: eval3 (eval.c:2500)
==51885== by 0x1894EC: eval2 (eval.c:2374)
==51885== by 0x1894EC: eval1 (eval.c:2220)
==51885== by 0x18A5D6: eval0 (eval.c:2164)
==51885== Address 0x6ca55d0 is 16 bytes inside a block of size 344 free'd
==51885== at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==51885== by 0x1477A3: free_buffer (buffer.c:903)
==51885== by 0x14E85B: set_curbuf (buffer.c:1744)
==51885== by 0x14EA69: do_buffer (buffer.c:1670)
==51885== by 0x14F222: goto_buffer (buffer.c:1060)
........... a lot more ...............................................................................
==51885==
==51885== Process terminating with default action of signal 11 (SIGSEGV)
==51885== Access not within mapped region at address 0x2
==51885== at 0x54C8406: _nl_locale_subfreeres (in /usr/lib/x86_64-linux-gnu/libc-2.31.so)
==51885== by 0x54C7346: free_mem (in /usr/lib/x86_64-linux-gnu/libc-2.31.so)
==51885== by 0x54C8AC1: __libc_freeres (in /usr/lib/x86_64-linux-gnu/libc-2.31.so)
==51885== by 0x48311C6: _vgnU_freeres (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_core-amd64-linux.so)
==51885== If you believe this happened as a result of a stack
==51885== overflow in your program's main thread (unlikely but
==51885== possible), you can try to increase the size of the
==51885== main thread stack using the --main-stacksize= flag.
==51885== The main thread stack size used in this run was 8388608.
==51885==
==51885== HEAP SUMMARY:
==51885== in use at exit: 8,788,033 bytes in 98,975 blocks
==51885== total heap usage: 1,133,203 allocs, 1,034,231 frees, 2,331,678,355 bytes allocated
==51885==
==51885== LEAK SUMMARY:
==51885== definitely lost: 25,283 bytes in 16 blocks
==51885== indirectly lost: 2,749 bytes in 56 blocks
==51885== possibly lost: 3,635,996 bytes in 57,545 blocks
==51885== still reachable: 5,124,005 bytes in 41,358 blocks
==51885== suppressed: 0 bytes in 0 blocks
==51885== Rerun with --leak-check=full to see details of leaked memory
==51885==
==51885== Use --track-origins=yes to see where uninitialised values come from
==51885== For lists of detected and suppressed errors, rerun with: -s
==51885== ERROR SUMMARY: 968 errors from 255 contexts (suppressed: 0 from 0)
(END)
Shane-XB-Qian
Dec 22, 2020, 10:40:07 AM12/22/20
to vim/vim, Subscribed
Direct leak of 79 byte(s) in 79 object(s) allocated from:
#0 0x7f2d6cacdbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x55599437da5a in lalloc /home/shane/foo/vim/src/misc2.c:925
#2 0x55599437d843 in alloc /home/shane/foo/vim/src/misc2.c:828
#3 0x55599463c172 in eval_string /home/shane/foo/vim/src/typval.c:1304
#4 0x5559941a41c6 in eval7 /home/shane/foo/vim/src/eval.c:3245
#5 0x5559941a30d1 in eval6 /home/shane/foo/vim/src/eval.c:2990
#6 0x5559941a1cb1 in eval5 /home/shane/foo/vim/src/eval.c:2760
#7 0x5559941a0fcc in eval4 /home/shane/foo/vim/src/eval.c:2616
#8 0x5559941a040d in eval3 /home/shane/foo/vim/src/eval.c:2477
another one (same as previous comments) valgrind can not capture it but asan and by lucky... that's all so far i can get from luck.
Dominique Pellé
Dec 22, 2020, 10:48:02 AM12/22/20
to vim/vim, Subscribed
When attaching stacks with valgrind or asan, please always indicate the version of Vim.
The bug description says vim-8.2.2143, but perhaps you updated since you created this ticket?
Shane-XB-Qian
Dec 22, 2020, 10:52:02 AM12/22/20
to vim/vim, Subscribed
um, yes, v8.2.2187 tried to verify recent chg help on this too.. so, not, or at least those 2 not.
Dominique Pellé
Dec 22, 2020, 10:58:41 AM12/22/20
to vim/vim, Subscribed
The stack are deep and valgrind truncates them. You can get deeper stacks
with the --num-callers=… option. Example:
$ cd vim/src ; valgrind --num-callers=50 ./vim 2> valgrind.log
Instructions for us to attempt to reproduce the bug would also be useful.
Shane-XB-Qian
Dec 22, 2020, 11:08:34 AM12/22/20
to vim/vim, Subscribed
the default --num-callers 12 had already made vim very slow...
i would try but i have no solid steps to make it, besides regularly cannot run vim like this way..
Bram Moolenaar
Dec 22, 2020, 12:00:15 PM12/22/20
to vim...@googlegroups.com, Shane-XB-Qian
> ```valgrind
freed. Can't think how that can happen. Maybe the "b:" dict was copied
somewhere?
--
All good vision statements are created by groups of people with bloated
bladders who would rather be doing anything else.
(Scott Adams - The Dilbert principle)
/// Bram Moolenaar -- Br...@Moolenaar.net -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
Shane-XB-Qian
Dec 31, 2020, 12:50:22 AM12/31/20
to vim/vim, Subscribed
v8.2.2251 maybe it had been fixed in recent. i am no luck to get these now..
// closing... happy the last day of 2020.. :)
Shane-XB-Qian
Dec 31, 2020, 12:50:22 AM12/31/20
to vim/vim, Subscribed
Closed #7471.
Reply all
Reply to author
Forward
0 new messages