[patch] fixed crash when pressing return in a C++ comment (bug introduced in vim-7.3.552)
41 views
Skip to first unread message
Dominique Pellé
Jun 18, 2012, 5:34:28 AM6/18/12
to vim_dev, Tor Perkins
Hi
I can reproduce a crash once in a while with latest Vim-7.3.556
when pressing return in insert mode in a C++ comment. I can
reproduce it as follows:
# Minimalistic ~/.vimrc to reproduce bug
$ cat ~/.vimrc
syntax on
filetype on
filetype plugin on
# Then this command triggers the bug:
$ rm -f /tmp/foo.cpp; vim /tmp/foo.cpp -c 'call feedkeys("i// foo\<CR>")'
It does not crash all the time, but Valgrind memcheck always shows an error:
==16212== Invalid write of size 1
==16212== at 0x4E2BAD: vim_strncpy (misc2.c:1660)
==16212== by 0x4D1DB5: open_line (misc1.c:1065)
==16212== by 0x43172A: ins_eol (edit.c:9812)
==16212== by 0x423F00: edit (edit.c:1313)
==16212== by 0x50224E: invoke_edit (normal.c:9143)
==16212== by 0x5021E7: nv_edit (normal.c:9116)
==16212== by 0x4F4676: normal_cmd (normal.c:1193)
==16212== by 0x5D4CCB: main_loop (main.c:1294)
==16212== by 0x5D4692: main (main.c:998)
==16212== Address 0xc3f2043 is 0 bytes after a block of size 3 alloc'd
==16212== at 0x4C2815C: malloc (vg_replace_malloc.c:236)
==16212== by 0x4E1E97: lalloc (misc2.c:928)
==16212== by 0x4E1DA4: alloc (misc2.c:827)
==16212== by 0x4D1D65: open_line (misc1.c:1057)
==16212== by 0x43172A: ins_eol (edit.c:9812)
==16212== by 0x423F00: edit (edit.c:1313)
==16212== by 0x50224E: invoke_edit (normal.c:9143)
==16212== by 0x5021E7: nv_edit (normal.c:9116)
==16212== by 0x4F4676: normal_cmd (normal.c:1193)
==16212== by 0x5D4CCB: main_loop (main.c:1294)
==16212== by 0x5D4692: main (main.c:998)
(and many more errors after that)
Variable 'leader' is allocated at misc1.c:1057:
1056 /* allocate buffer (may concatenate p_exta later) */
1057 leader = alloc(lead_len + lead_repl_len + extra_space + extra_len
1058 + (second_line_indent > 0 ? second_line_indent : 0));
1059 allocated = leader; /* remember to free it later */
'hg annotate misc1.c' shows that the code where 'leader'
is allocated was changed recently:
$ hg annotate misc1.c
7: /* allocate buffer (may concatenate p_exta later) */
3584: leader = alloc(lead_len + lead_repl_len + extra_space + extra_len
3584: + (second_line_indent > 0 ? second_line_indent : 0));
7: allocated = leader; /* remember to free it later */
$ hg -v log -r3584
changeset: 3584:443c50cd3e88
tag: v7-3-552
user: Bram Moolenaar <br...@vim.org>
date: Wed Jun 13 17:28:55 2012 +0200
files: src/edit.c src/misc1.c src/ops.c src/testdir/test68.in
src/testdir/test68.ok src/version.c src/vim.h
description:
updated for version 7.3.552
Problem: Formatting inside comments does not use the "2" flag in
'formatoptions'.
Solution: Support the "2" flag. (Tor Perkins)
Attached patch fixes it by allocating an extra byte, which I assume is necessary
for the end of string, but please verify it. I CC Tor Perkins for
review since he
changed this code recently in patch 7.3.552.
Regards
-- Dominique
I can reproduce a crash once in a while with latest Vim-7.3.556
when pressing return in insert mode in a C++ comment. I can
reproduce it as follows:
# Minimalistic ~/.vimrc to reproduce bug
$ cat ~/.vimrc
syntax on
filetype on
filetype plugin on
# Then this command triggers the bug:
$ rm -f /tmp/foo.cpp; vim /tmp/foo.cpp -c 'call feedkeys("i// foo\<CR>")'
It does not crash all the time, but Valgrind memcheck always shows an error:
==16212== Invalid write of size 1
==16212== at 0x4E2BAD: vim_strncpy (misc2.c:1660)
==16212== by 0x4D1DB5: open_line (misc1.c:1065)
==16212== by 0x43172A: ins_eol (edit.c:9812)
==16212== by 0x423F00: edit (edit.c:1313)
==16212== by 0x50224E: invoke_edit (normal.c:9143)
==16212== by 0x5021E7: nv_edit (normal.c:9116)
==16212== by 0x4F4676: normal_cmd (normal.c:1193)
==16212== by 0x5D4CCB: main_loop (main.c:1294)
==16212== by 0x5D4692: main (main.c:998)
==16212== Address 0xc3f2043 is 0 bytes after a block of size 3 alloc'd
==16212== at 0x4C2815C: malloc (vg_replace_malloc.c:236)
==16212== by 0x4E1E97: lalloc (misc2.c:928)
==16212== by 0x4E1DA4: alloc (misc2.c:827)
==16212== by 0x4D1D65: open_line (misc1.c:1057)
==16212== by 0x43172A: ins_eol (edit.c:9812)
==16212== by 0x423F00: edit (edit.c:1313)
==16212== by 0x50224E: invoke_edit (normal.c:9143)
==16212== by 0x5021E7: nv_edit (normal.c:9116)
==16212== by 0x4F4676: normal_cmd (normal.c:1193)
==16212== by 0x5D4CCB: main_loop (main.c:1294)
==16212== by 0x5D4692: main (main.c:998)
(and many more errors after that)
Variable 'leader' is allocated at misc1.c:1057:
1056 /* allocate buffer (may concatenate p_exta later) */
1057 leader = alloc(lead_len + lead_repl_len + extra_space + extra_len
1058 + (second_line_indent > 0 ? second_line_indent : 0));
1059 allocated = leader; /* remember to free it later */
'hg annotate misc1.c' shows that the code where 'leader'
is allocated was changed recently:
$ hg annotate misc1.c
7: /* allocate buffer (may concatenate p_exta later) */
3584: leader = alloc(lead_len + lead_repl_len + extra_space + extra_len
3584: + (second_line_indent > 0 ? second_line_indent : 0));
7: allocated = leader; /* remember to free it later */
$ hg -v log -r3584
changeset: 3584:443c50cd3e88
tag: v7-3-552
user: Bram Moolenaar <br...@vim.org>
date: Wed Jun 13 17:28:55 2012 +0200
files: src/edit.c src/misc1.c src/ops.c src/testdir/test68.in
src/testdir/test68.ok src/version.c src/vim.h
description:
updated for version 7.3.552
Problem: Formatting inside comments does not use the "2" flag in
'formatoptions'.
Solution: Support the "2" flag. (Tor Perkins)
Attached patch fixes it by allocating an extra byte, which I assume is necessary
for the end of string, but please verify it. I CC Tor Perkins for
review since he
changed this code recently in patch 7.3.552.
Regards
-- Dominique
Bram Moolenaar
Jun 18, 2012, 2:48:38 PM6/18/12
to Dominique Pellé, vim_dev, Tor Perkins
commented.
--
Just remember...if the world didn't suck, we'd all fall off.
/// Bram Moolenaar -- Br...@Moolenaar.net -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
Tor Perkins
Jun 20, 2012, 3:16:45 PM6/20/12
to vim...@googlegroups.com, Bram Moolenaar, Dominique Pell�
Second, Dominique's patch is a good one!
The '+ 1' was there before 7.3.552 and it was present in the patch I
submitted, but it got lost during the process of creating the actual
7.3.552 changeset. I'm sorry I did not catch that when I reviewed
the changeset...
Finally, thanks to you both!
- Tor
Reply all
Reply to author
Forward
0 new messages