[vim/vim] Use after free error from ASAN (Issue #20147)
4 views
Skip to first unread message
Foxe Chen
May 5, 2026, 10:26:34 PM (2 days ago) May 5
to vim/vim, Subscribed
64-bitman created an issue (vim/vim#20147)Steps to reproduce
Source this specific script and run call g:Warn("test") using an ASAN build of Vim
vim9script def g:Warn(msg: string) if has('patch-9.0.0321') echow msg else timer_start(100, (_) => { echohl WarningMsg | echom msg | echohl None }, { repeat: 0 }) endif enddef
I got this code from vim-fuzzbox which I originally experienced this issue
Expected behaviour
Don't crash
Version of Vim
9.2.447
Environment
This happens on the latest version of Vim, I tried bisecting what commit caused this, but it seems to be present since 9.2.0000.
Logs and stack traces
ASAN log:
==================================================================93146==ERROR: AddressSanitizer: heap-use-after-free on address 0x7be1b2046299 at pc 0x561d8c4b4021 bp 0x7ffe044c2360 sp 0x7ffe044c2350
READ of size 1 at 0x7be1b2046299 thread T0
#0 0x561d8c4b4020 in skipwhite /srv/git/vim/src/charset.c:1920
#1 0x561d8c1f3a88 in compile_eval /srv/git/vim/src/vim9cmds.c:2025
#2 0x561d8c22e6ea in compile_def_function_body /srv/git/vim/src/vim9compile.c:4676
#3 0x561d8c232273 in compile_def_function /srv/git/vim/src/vim9compile.c:5083
#4 0x561d8c2954f2 in call_def_function /srv/git/vim/src/vim9execute.c:6657
#5 0x561d8c184b4a in call_user_func /srv/git/vim/src/userfunc.c:3055
#6 0x561d8c18ac9e in call_user_func_check /srv/git/vim/src/userfunc.c:3492
#7 0x561d8c18ff54 in call_func /srv/git/vim/src/userfunc.c:4165
#8 0x561d8c17c725 in get_func_tv /srv/git/vim/src/userfunc.c:2190
#9 0x561d8c1a6b9f in ex_call_inner /srv/git/vim/src/userfunc.c:6525
#10 0x561d8c1a9d4c in ex_call /srv/git/vim/src/userfunc.c:6883
#11 0x561d8b823e45 in do_one_cmd /srv/git/vim/src/ex_docmd.c:2629
#12 0x561d8b816c77 in do_cmdline /srv/git/vim/src/ex_docmd.c:1041
#13 0x561d8bb86f76 in nv_colon /srv/git/vim/src/normal.c:3187
#14 0x561d8bb71093 in normal_cmd /srv/git/vim/src/normal.c:955
#15 0x561d8c4cb2b2 in main_loop /srv/git/vim/src/main.c:1639
#16 0x561d8c4c97b8 in vim_main2 /srv/git/vim/src/main.c:977
#17 0x561d8c4c8bb0 in main /srv/git/vim/src/main.c:453
#18 0x7fb1b3227740 (/usr/lib/libc.so.6+0x27740) (BuildId: 020d6f7c33b2413f4fe10814c4729dce1387f049)
#19 0x7fb1b3227878 in __libc_start_main (/usr/lib/libc.so.6+0x27878) (BuildId: 020d6f7c33b2413f4fe10814c4729dce1387f049)
#20 0x561d8b4eb7c4 in _start (/srv/git/vim/src/vim+0x196b7c4) (BuildId: 5de53ab25e2baf96a1104ba9311e6878eedce76a)
0x7be1b2046299 is located 25 bytes inside of 26-byte region [0x7be1b2046280,0x7be1b204629a)
freed by thread T0 here:
#0 0x7fb1b3f2af31 (/usr/lib/libasan.so.8+0x12af31) (BuildId: ee5fbab73143ab257a66a33afe0f038a4af7a74e)
#1 0x561d8b4ebfa4 in vim_free /srv/git/vim/src/alloc.c:618
#2 0x561d8b4ec1e9 in ga_clear_strings /srv/git/vim/src/alloc.c:646
#3 0x561d8b702217 in clear_evalarg /srv/git/vim/src/eval.c:507
#4 0x561d8c2c2c3f in skip_expr_cctx /srv/git/vim/src/vim9expr.c:2351
#5 0x561d8c2d3b0c in compile_expr1 /srv/git/vim/src/vim9expr.c:3888
#6 0x561d8c2d5e64 in compile_expr0_ext /srv/git/vim/src/vim9expr.c:4056
#7 0x561d8c2d6096 in compile_expr0 /srv/git/vim/src/vim9expr.c:4074
#8 0x561d8c1f38bf in compile_eval /srv/git/vim/src/vim9cmds.c:2013
#9 0x561d8c22e6ea in compile_def_function_body /srv/git/vim/src/vim9compile.c:4676
#10 0x561d8c232273 in compile_def_function /srv/git/vim/src/vim9compile.c:5083
#11 0x561d8c2954f2 in call_def_function /srv/git/vim/src/vim9execute.c:6657
#12 0x561d8c184b4a in call_user_func /srv/git/vim/src/userfunc.c:3055
#13 0x561d8c18ac9e in call_user_func_check /srv/git/vim/src/userfunc.c:3492
#14 0x561d8c18ff54 in call_func /srv/git/vim/src/userfunc.c:4165
#15 0x561d8c17c725 in get_func_tv /srv/git/vim/src/userfunc.c:2190
#16 0x561d8c1a6b9f in ex_call_inner /srv/git/vim/src/userfunc.c:6525
#17 0x561d8c1a9d4c in ex_call /srv/git/vim/src/userfunc.c:6883
#18 0x561d8b823e45 in do_one_cmd /srv/git/vim/src/ex_docmd.c:2629
#19 0x561d8b816c77 in do_cmdline /srv/git/vim/src/ex_docmd.c:1041
#20 0x561d8bb86f76 in nv_colon /srv/git/vim/src/normal.c:3187
#21 0x561d8bb71093 in normal_cmd /srv/git/vim/src/normal.c:955
#22 0x561d8c4cb2b2 in main_loop /srv/git/vim/src/main.c:1639
#23 0x561d8c4c97b8 in vim_main2 /srv/git/vim/src/main.c:977
#24 0x561d8c4c8bb0 in main /srv/git/vim/src/main.c:453
#25 0x7fb1b3227740 (/usr/lib/libc.so.6+0x27740) (BuildId: 020d6f7c33b2413f4fe10814c4729dce1387f049)
#26 0x7fb1b3227878 in __libc_start_main (/usr/lib/libc.so.6+0x27878) (BuildId: 020d6f7c33b2413f4fe10814c4729dce1387f049)
#27 0x561d8b4eb7c4 in _start (/srv/git/vim/src/vim+0x196b7c4) (BuildId: 5de53ab25e2baf96a1104ba9311e6878eedce76a)
previously allocated by thread T0 here:
#0 0x7fb1b3f2c161 in malloc (/usr/lib/libasan.so.8+0x12c161) (BuildId: ee5fbab73143ab257a66a33afe0f038a4af7a74e)
#1 0x561d8b4ebc70 in lalloc /srv/git/vim/src/alloc.c:246
#2 0x561d8b4eba46 in alloc /srv/git/vim/src/alloc.c:151
#3 0x561d8bf9c35f in vim_strsave /srv/git/vim/src/strings.c:27
#4 0x561d8c205cbc in exarg_getline /srv/git/vim/src/vim9compile.c:972
#5 0x561d8c1646f9 in get_function_line /srv/git/vim/src/userfunc.c:206
#6 0x561d8c16ceeb in get_function_body /srv/git/vim/src/userfunc.c:1044
#7 0x561d8c1747cb in lambda_function_body /srv/git/vim/src/userfunc.c:1503
#8 0x561d8c17810a in get_lambda_tv /srv/git/vim/src/userfunc.c:1764
#9 0x561d8b72d75c in eval9_nested_expr /srv/git/vim/src/eval.c:5085
#10 0x561d8b72f5c2 in eval9 /srv/git/vim/src/eval.c:5381
#11 0x561d8b72b6eb in eval8 /srv/git/vim/src/eval.c:4857
#12 0x561d8b72a391 in eval7 /srv/git/vim/src/eval.c:4755
#13 0x561d8b7283a6 in eval6 /srv/git/vim/src/eval.c:4505
#14 0x561d8b7268ba in eval5 /srv/git/vim/src/eval.c:4295
#15 0x561d8b724260 in eval4 /srv/git/vim/src/eval.c:4070
#16 0x561d8b7230d6 in eval3 /srv/git/vim/src/eval.c:3931
#17 0x561d8b721fc2 in eval2 /srv/git/vim/src/eval.c:3805
#18 0x561d8b72045d in eval1 /srv/git/vim/src/eval.c:3643
#19 0x561d8c17b774 in get_func_arguments /srv/git/vim/src/userfunc.c:2100
#20 0x561d8c17c429 in get_func_tv /srv/git/vim/src/userfunc.c:2169
#21 0x561d8b71e066 in eval_func /srv/git/vim/src/eval.c:3270
#22 0x561d8b72e53f in eval9_var_func_name /srv/git/vim/src/eval.c:5179
#23 0x561d8b72f60d in eval9 /srv/git/vim/src/eval.c:5394
#24 0x561d8b72b6eb in eval8 /srv/git/vim/src/eval.c:4857
#25 0x561d8b72a391 in eval7 /srv/git/vim/src/eval.c:4755
#26 0x561d8b7283a6 in eval6 /srv/git/vim/src/eval.c:4505
#27 0x561d8b7268ba in eval5 /srv/git/vim/src/eval.c:4295
SUMMARY: AddressSanitizer: heap-use-after-free /srv/git/vim/src/charset.c:1920 in skipwhite
Shadow bytes around the buggy address:
0x7be1b2046000: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x7be1b2046080: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
0x7be1b2046100: fd fd fd fa fa fa fd fd fd fa fa fa 00 00 05 fa
0x7be1b2046180: fa fa fd fd fd fa fa fa 00 00 00 05 fa fa 00 00
0x7be1b2046200: 02 fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa
=>0x7be1b2046280: fd fd fd[fd]fa fa fa fa fa fa fa fa fa fa fa fa
0x7be1b2046300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7be1b2046380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7be1b2046400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7be1b2046480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7be1b2046500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==93146==ABORTING—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you are subscribed to this thread.
mattn
May 5, 2026, 10:37:27 PM (2 days ago) May 5
to vim/vim, Subscribed
mattn left a comment (vim/vim#20147)The lifetime of p returned by compile_eval() is questionable.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you are subscribed to this thread.
mattn
May 5, 2026, 10:44:46 PM (2 days ago) May 5
to vim/vim, Subscribed
mattn left a comment (vim/vim#20147)After parsing a lambda, *arg could still point into a temporary cmdline buffer, and clear_evalarg() would then free that buffer while the pointer was still in use.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you are subscribed to this thread.
Christian Brabandt
May 6, 2026, 2:14:27 PM (yesterday) May 6
to vim/vim, Subscribed
—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you are subscribed to this thread.
Reply all
Reply to author
Forward
0 new messages