Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8.1.1467+ consistent `heap-user-after-free` in `garbage_collect .. list_unref` #4547

Closed
pqwy opened this issue Jun 15, 2019 · 5 comments

Comments

Projects
None yet
2 participants
@pqwy
Copy link

commented Jun 15, 2019

Vim segfaults while using a certain pure vimscript plugin.

I didn't get to the bottom of it, but I suspect it's the closures used in the XML parser.

Reproduce

  • Linux. I'm using an up-to-date Arch.
  • Install coq. Distro-packaged non-GUI version is sufficient. I tested with coq-8.9.1.
  • (Re-)move ~/.vim* stuff.
  • Get the plugin:
mkdir -p ~/.vim/pack/x/start
cd ~/.vim/pack/x/start
git clone https://manu@framagit.org/manu/coq-au-vim.git
cd coq-au-vim && git checkout 1ff3c89
  • vim -c 'filetype plugin on|setf coq|CoqStart' 2>crash.txt
  • j then leave vim alone for up to 10 seconds.
  • vim segfaults.

It seems that interaction postpones the crash and that it only happens after several seconds of inactivity.

Environment

I tried two versions.

  • A fresh pull with the sanitizer enabled:
VIM - Vi IMproved 8.1 (2018 May 18, compiled Jun 15 2019 20:37:06)
Included patches: 1-1545
Compiled by self@yi
Huge version without GUI.  Features included (+) or not (-):
+acl               -farsi             -mouse_sysmouse    -tag_any_white
+arabic            +file_in_path      +mouse_urxvt       -tcl
+autocmd           +find_in_path      +mouse_xterm       +termguicolors
+autochdir         +float             +multi_byte        +terminal
-autoservername    +folding           +multi_lang        +terminfo
-balloon_eval      -footer            -mzscheme          +termresponse
+balloon_eval_term +fork()            +netbeans_intg     +textobjects
-browse            +gettext           +num64             +textprop
++builtin_terms    -hangul_input      +packages          +timers
+byte_offset       +iconv             +path_extra        +title
+channel           +insert_expand     -perl              -toolbar
+cindent           +job               +persistent_undo   +user_commands
-clientserver      +jumplist          +postscript        +vartabs
-clipboard         +keymap            +printer           +vertsplit
+cmdline_compl     +lambda            +profile           +virtualedit
+cmdline_hist      +langmap           -python            +visual
+cmdline_info      +libcall           -python3           +visualextra
+comments          +linebreak         +quickfix          +viminfo
+conceal           +lispindent        +reltime           +vreplace
+cryptv            +listcmds          +rightleft         +wildignore
+cscope            +localmap          -ruby              +wildmenu
+cursorbind        -lua               +scrollbind        +windows
+cursorshape       +menu              +signs             +writebackup
+dialog_con        +mksession         +smartindent       -X11
+diff              +modify_fname      +sound             -xfontset
+digraphs          +mouse             +spell             -xim
-dnd               -mouseshape        +startuptime       -xpm
-ebcdic            +mouse_dec         +statusline        -xsmp
+emacs_tags        +mouse_gpm         -sun_workshop      -xterm_clipboard
+eval              -mouse_jsbterm     +syntax            -xterm_save
+ex_extra          +mouse_netterm     +tag_binary
+extra_search      +mouse_sgr         -tag_old_static
   system vimrc file: "$VIM/vimrc"
     user vimrc file: "$HOME/.vimrc"
 2nd user vimrc file: "~/.vim/vimrc"
      user exrc file: "$HOME/.exrc"
       defaults file: "$VIMRUNTIME/defaults.vim"
  fall-back for $VIM: "/usr/share/vim"
Compilation: gcc -c -I. -Iproto -DHAVE_CONFIG_H     -O -g -DDEBUG -Wall -Wshadow -Wmissing-prototypes  -g -O0 -fsanitize=address -fno-omit-frame-pointer
Linking: gcc   -L/usr/local/lib -Wl,--as-needed -o vim        -lm -ltinfo -lelf -lnsl  -lcanberra  -lacl -lattr -lgpm -ldl         -g -O0 -fsanitize=address -fno-omit-frame-pointer
  DEBUG BUILD
  • And what Arch is shipping:
VIM - Vi IMproved 8.1 (2018 May 18, compiled Jun  5 2019 14:31:35)
Included patches: 1-1467
Compiled by Arch Linux
Huge version with GTK3 GUI.  Features included (+) or not (-):
+acl               +extra_search      +mouse_netterm     -tag_old_static
+arabic            -farsi             +mouse_sgr         -tag_any_white
+autocmd           +file_in_path      -mouse_sysmouse    +tcl/dyn
+autochdir         +find_in_path      +mouse_urxvt       +termguicolors
-autoservername    +float             +mouse_xterm       +terminal
+balloon_eval      +folding           +multi_byte        +terminfo
+balloon_eval_term -footer            +multi_lang        +termresponse
+browse            +fork()            -mzscheme          +textobjects
++builtin_terms    +gettext           +netbeans_intg     +textprop
+byte_offset       -hangul_input      +num64             +timers
+channel           +iconv             +packages          +title
+cindent           +insert_expand     +path_extra        +toolbar
+clientserver      +job               +perl/dyn          +user_commands
+clipboard         +jumplist          +persistent_undo   +vartabs
+cmdline_compl     +keymap            +postscript        +vertsplit
+cmdline_hist      +lambda            +printer           +virtualedit
+cmdline_info      +langmap           +profile           +visual
+comments          +libcall           +python/dyn        +visualextra
+conceal           +linebreak         +python3/dyn       +viminfo
+cryptv            +lispindent        +quickfix          +vreplace
+cscope            +listcmds          +reltime           +wildignore
+cursorbind        +localmap          +rightleft         +wildmenu
+cursorshape       +lua/dyn           +ruby/dyn          +windows
+dialog_con_gui    +menu              +scrollbind        +writebackup
+diff              +mksession         +signs             +X11
+digraphs          +modify_fname      +smartindent       -xfontset
+dnd               +mouse             +startuptime       +xim
-ebcdic            +mouseshape        +statusline        -xpm
+emacs_tags        +mouse_dec         -sun_workshop      +xsmp_interact
+eval              +mouse_gpm         +syntax            +xterm_clipboard
+ex_extra          -mouse_jsbterm     +tag_binary        -xterm_save
   system vimrc file: "/etc/vimrc"
     user vimrc file: "$HOME/.vimrc"
 2nd user vimrc file: "~/.vim/vimrc"
      user exrc file: "$HOME/.exrc"
  system gvimrc file: "/etc/gvimrc"
    user gvimrc file: "$HOME/.gvimrc"
2nd user gvimrc file: "~/.vim/gvimrc"
       defaults file: "$VIMRUNTIME/defaults.vim"
    system menu file: "$VIMRUNTIME/menu.vim"
  fall-back for $VIM: "/usr/share/vim"
Compilation: gcc -c -I. -Iproto -DHAVE_CONFIG_H -DFEAT_GUI_GTK  -I/usr/include/gtk-3.0 -I/usr/include/pango-1.0 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/lib/libffi-3.2.1/include -I/usr/include/fribidi -I/usr/include/harfbuzz -I/usr/include/freetype2 -I/usr/include/libpng16 -I/usr/include/uuid -I/usr/include/cairo -I/usr/include/pixman-1 -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/libmount -I/usr/include/blkid -I/usr/include/gio-unix-2.0 -I/usr/include/libdrm -I/usr/include/atk-1.0 -I/usr/include/at-spi2-atk/2.0 -I/usr/include/at-spi-2.0 -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include -pthread  -D_FORTIFY_SOURCE=2  -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1
Linking: gcc   -L. -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -fstack-protector-strong -rdynamic -Wl,-export-dynamic -Wl,-E -Wl,-rpath,/usr/lib/perl5/5.30/core_perl/CORE  -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -L/usr/local/lib -Wl,--as-needed -o vim   -lgtk-3 -lgdk-3 -lz -lpangocairo-1.0 -lpango-1.0 -latk-1.0 -lcairo-gobject -lcairo -lgdk_pixbuf-2.0 -lgio-2.0 -lgobject-2.0 -lglib-2.0  -lSM -lICE -lXt -lX11 -lXdmcp -lSM -lICE  -lm -ltinfo -lelf -lnsl    -lacl -lattr -lgpm -ldl   -Wl,-E -Wl,-rpath,/usr/lib/perl5/5.30/core_perl/CORE -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -fstack-protector-strong -L/usr/local/lib  -L/usr/lib/perl5/5.30/core_perl/CORE -lperl -lpthread -ldl -lm -lcrypt -lutil -lc   -L/usr/lib -ltclstub8.6 -ldl -lz -lpthread -lm

Sample crash.txt

=================================================================
==2123==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000141e8 at pc 0x5631c5e85aa1 bp 0x7fffc2935cc0 sp 0x7fffc2935cb0
READ of size 4 at 0x6070000141e8 thread T0
    #0 0x5631c5e85aa0 in list_unref /home/self/coad/projects/vim/src/list.c:151
    #1 0x5631c5cf5371 in clear_tv /home/self/coad/projects/vim/src/eval.c:7462
    #2 0x5631c619cead in free_funccal_contents /home/self/coad/projects/vim/src/userfunc.c:669
    #3 0x5631c61afd50 in free_unref_funccal /home/self/coad/projects/vim/src/userfunc.c:3807
    #4 0x5631c5cecb0e in garbage_collect /home/self/coad/projects/vim/src/eval.c:5724
    #5 0x5631c5e333a4 in before_blocking /home/self/coad/projects/vim/src/getchar.c:1520
    #6 0x5631c6178e18 in inchar_loop /home/self/coad/projects/vim/src/ui.c:354
    #7 0x5631c5f9876b in mch_inchar /home/self/coad/projects/vim/src/os_unix.c:388
    #8 0x5631c6178930 in ui_inchar /home/self/coad/projects/vim/src/ui.c:231
    #9 0x5631c5e3a5e1 in inchar /home/self/coad/projects/vim/src/getchar.c:3092
    #10 0x5631c5e3977e in vgetorpeek /home/self/coad/projects/vim/src/getchar.c:2870
    #11 0x5631c5e337d1 in vgetc /home/self/coad/projects/vim/src/getchar.c:1602
    #12 0x5631c5e3430d in safe_vgetc /home/self/coad/projects/vim/src/getchar.c:1821
    #13 0x5631c5efd313 in normal_cmd /home/self/coad/projects/vim/src/normal.c:596
    #14 0x5631c624ded0 in main_loop /home/self/coad/projects/vim/src/main.c:1370
    #15 0x5631c624d189 in vim_main2 /home/self/coad/projects/vim/src/main.c:903
    #16 0x5631c624c864 in main /home/self/coad/projects/vim/src/main.c:444
    #17 0x7f83b5e79ce2 in __libc_start_main (/usr/lib/libc.so.6+0x23ce2)
    #18 0x5631c5c52f2d in _start (/home/self/coad/projects/vim/src/vim+0xf9f2d)

0x6070000141e8 is located 56 bytes inside of 80-byte region [0x6070000141b0,0x607000014200)
freed by thread T0 here:
    #0 0x7f83b64ecf89 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:66
    #1 0x5631c5ed2a99 in vim_free /home/self/coad/projects/vim/src/misc2.c:1805
    #2 0x5631c5e85e32 in list_free_list /home/self/coad/projects/vim/src/list.c:208
    #3 0x5631c5e85f0b in list_free_items /home/self/coad/projects/vim/src/list.c:225
    #4 0x5631c5cecc01 in free_unref_items /home/self/coad/projects/vim/src/eval.c:5772
    #5 0x5631c5cecafc in garbage_collect /home/self/coad/projects/vim/src/eval.c:5718
    #6 0x5631c5e333a4 in before_blocking /home/self/coad/projects/vim/src/getchar.c:1520
    #7 0x5631c6178e18 in inchar_loop /home/self/coad/projects/vim/src/ui.c:354
    #8 0x5631c5f9876b in mch_inchar /home/self/coad/projects/vim/src/os_unix.c:388
    #9 0x5631c6178930 in ui_inchar /home/self/coad/projects/vim/src/ui.c:231
    #10 0x5631c5e3a5e1 in inchar /home/self/coad/projects/vim/src/getchar.c:3092
    #11 0x5631c5e3977e in vgetorpeek /home/self/coad/projects/vim/src/getchar.c:2870
    #12 0x5631c5e337d1 in vgetc /home/self/coad/projects/vim/src/getchar.c:1602
    #13 0x5631c5e3430d in safe_vgetc /home/self/coad/projects/vim/src/getchar.c:1821
    #14 0x5631c5efd313 in normal_cmd /home/self/coad/projects/vim/src/normal.c:596
    #15 0x5631c624ded0 in main_loop /home/self/coad/projects/vim/src/main.c:1370
    #16 0x5631c624d189 in vim_main2 /home/self/coad/projects/vim/src/main.c:903
    #17 0x5631c624c864 in main /home/self/coad/projects/vim/src/main.c:444
    #18 0x7f83b5e79ce2 in __libc_start_main (/usr/lib/libc.so.6+0x23ce2)

previously allocated by thread T0 here:
    #0 0x7f83b64ed389 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:86
    #1 0x5631c5ed0746 in lalloc /home/self/coad/projects/vim/src/misc2.c:924
    #2 0x5631c5ed05e0 in alloc_clear /home/self/coad/projects/vim/src/misc2.c:851
    #3 0x5631c5e85771 in list_alloc /home/self/coad/projects/vim/src/list.c:75
    #4 0x5631c5e885bc in get_list_tv /home/self/coad/projects/vim/src/list.c:890
    #5 0x5631c5ce6672 in eval7 /home/self/coad/projects/vim/src/eval.c:4552
    #6 0x5631c5ce4ff1 in eval6 /home/self/coad/projects/vim/src/eval.c:4237
    #7 0x5631c5ce406d in eval5 /home/self/coad/projects/vim/src/eval.c:4028
    #8 0x5631c5ce37c9 in eval4 /home/self/coad/projects/vim/src/eval.c:3910
    #9 0x5631c5ce335d in eval3 /home/self/coad/projects/vim/src/eval.c:3830
    #10 0x5631c5ce2ebb in eval2 /home/self/coad/projects/vim/src/eval.c:3762
    #11 0x5631c5ce2944 in eval1 /home/self/coad/projects/vim/src/eval.c:3690
    #12 0x5631c619c185 in get_func_tv /home/self/coad/projects/vim/src/userfunc.c:460
    #13 0x5631c61ad4a0 in ex_call /home/self/coad/projects/vim/src/userfunc.c:3342
    #14 0x5631c5d94ec9 in do_one_cmd /home/self/coad/projects/vim/src/ex_docmd.c:2500
    #15 0x5631c5d8c0df in do_cmdline /home/self/coad/projects/vim/src/ex_docmd.c:995
    #16 0x5631c619f3e3 in call_user_func /home/self/coad/projects/vim/src/userfunc.c:1066
    #17 0x5631c61a1df0 in call_func /home/self/coad/projects/vim/src/userfunc.c:1625
    #18 0x5631c619c42a in get_func_tv /home/self/coad/projects/vim/src/userfunc.c:490
    #19 0x5631c61ad4a0 in ex_call /home/self/coad/projects/vim/src/userfunc.c:3342
    #20 0x5631c5d94ec9 in do_one_cmd /home/self/coad/projects/vim/src/ex_docmd.c:2500
    #21 0x5631c5d8c0df in do_cmdline /home/self/coad/projects/vim/src/ex_docmd.c:995
    #22 0x5631c619f3e3 in call_user_func /home/self/coad/projects/vim/src/userfunc.c:1066
    #23 0x5631c61a1df0 in call_func /home/self/coad/projects/vim/src/userfunc.c:1625
    #24 0x5631c619c42a in get_func_tv /home/self/coad/projects/vim/src/userfunc.c:490
    #25 0x5631c61ad4a0 in ex_call /home/self/coad/projects/vim/src/userfunc.c:3342
    #26 0x5631c5d94ec9 in do_one_cmd /home/self/coad/projects/vim/src/ex_docmd.c:2500
    #27 0x5631c5d8c0df in do_cmdline /home/self/coad/projects/vim/src/ex_docmd.c:995
    #28 0x5631c619f3e3 in call_user_func /home/self/coad/projects/vim/src/userfunc.c:1066
    #29 0x5631c61a1df0 in call_func /home/self/coad/projects/vim/src/userfunc.c:1625

SUMMARY: AddressSanitizer: heap-use-after-free /home/self/coad/projects/vim/src/list.c:151 in list_unref
Shadow bytes around the buggy address:
  0x0c0e7fffa7e0: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e7fffa7f0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd
  0x0c0e7fffa800: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0e7fffa810: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fffa820: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c0e7fffa830: fd fd fa fa fa fa fd fd fd fd fd fd fd[fd]fd fd
  0x0c0e7fffa840: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c0e7fffa850: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0e7fffa860: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
  0x0c0e7fffa870: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0e7fffa880: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2123==ABORTING
@brammool

This comment has been minimized.

Copy link
Contributor

commented Jun 15, 2019

@pqwy

This comment has been minimized.

Copy link
Author

commented Jun 15, 2019

Included patches: 1-1545

The repro works on #master as of 3 hours ago.

@pqwy

This comment has been minimized.

Copy link
Author

commented Jun 16, 2019

Bisect blames the patch 8.1.1007 (209b8e3, from #3961). Can't repro with 8.1.1006 (4aa47b2).

It is closures.

@brammool

This comment has been minimized.

Copy link
Contributor

commented Jun 16, 2019

@ichizok made this patch

@ichizok ichizok referenced this issue Jun 17, 2019

Closed

Fix #4547 #4554

@brammool brammool closed this in 6e5000d Jun 17, 2019

@pqwy

This comment has been minimized.

Copy link
Author

commented Jun 17, 2019

Can confirm. It fixes my repro too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.