Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vim9: crash when stepping through function in debug mode #9394

Closed
lacygoill opened this issue Dec 23, 2021 · 0 comments
Closed

Vim9: crash when stepping through function in debug mode #9394

lacygoill opened this issue Dec 23, 2021 · 0 comments

Comments

@lacygoill
Copy link

lacygoill commented Dec 23, 2021
edited

Steps to reproduce

Run these shell commands:

cat <<'EOF' >/tmp/crash.vim
    vim9script
    ['" ' .. repeat('x', 371)]->writefile('/tmp/a.vim')
    source /tmp/a.vim
    def Crash()
        #
        #
        #
        #
        #
        #
        #
        if true
            #
        endif
    enddef
    breakadd func Crash
    Crash()
EOF

vim -Nu NONE --cmd 'source /tmp/crash.vim'

Execute the next debugging command.

Vim crashes.

Expected behavior

Vim doesn't crash.

Version of Vim

8.2 Included patches: 1-3877

Environment

Operating system: Ubuntu 20.04.3 LTS
Terminal: xterm
Value of $TERM: xterm-256color
Shell: zsh 5.8

Logs and stack traces

Backtrace:

#0  0x000055555589208f in skipwhite (q=0xffffffffffffd499 <error: Cannot access memory at address 0xffffffffffffd499>)
    at charset.c:1469
#1  0x000055555581473e in handle_debug (iptr=0x5555559a8b28, ectx=0x7fffffffa070) at vim9execute.c:1669
#2  0x000055555581d5e9 in exec_instructions (ectx=0x7fffffffa070) at vim9execute.c:4638
#3  0x000055555581e967 in call_def_function
    (ufunc=0x5555559a8030, argc_arg=0, argv=0x7fffffffa9c0, partial=0x0, rettv=0x7fffffffb340) at vim9execute.c:5043
#4  0x00005555557fbf68 in call_user_func
    (fp=0x5555559a8030, argcount=0, argvars=0x7fffffffa9c0, rettv=0x7fffffffb340, funcexe=
    0x7fffffffaba0, selfdict=0x0) at userfunc.c:2522
#5  0x00005555557fd1e3 in call_user_func_check
    (fp=0x5555559a8030, argcount=0, argvars=0x7fffffffa9c0, rettv=0x7fffffffb340, funcexe=
    0x7fffffffaba0, selfdict=0x0) at userfunc.c:2916
#6  0x00005555557fe15d in call_func
    (funcname=0x5555559a81f0 "Crash()", len=5, rettv=0x7fffffffb340, argcount_in=0, argvars_in=0x7fffffffa9c0, funcexe=0x7fffffffaba0) at userfunc.c:3447
#7  0x00005555557fa7b6 in get_func_tv
    (name=0x5555559a81f0 "Crash()", len=5, rettv=0x7fffffffb340, arg=0x7fffffffb2e0, evalarg=0x7fffffffb350, funcexe=
    0x7fffffffaba0) at userfunc.c:1767
#8  0x00005555555f6203 in eval_func
    (arg=0x7fffffffb2e0, evalarg=0x7fffffffb350, name=0x5555559718e4 "Crash()", name_len=5, rettv=0x7fffffffb340, flags=1, basetv=0x0) at eval.c:2019
#9  0x00005555555f975d in eval7 (arg=0x7fffffffb2e0, rettv=0x7fffffffb340, evalarg=0x7fffffffb350, want_string=0)
    at eval.c:3627
#10 0x00005555555f8e32 in eval7t (arg=0x7fffffffb2e0, rettv=0x7fffffffb340, evalarg=0x7fffffffb350, want_string=0)
    at eval.c:3325
#11 0x00005555555f888a in eval6 (arg=0x7fffffffb2e0, rettv=0x7fffffffb340, evalarg=0x7fffffffb350, want_string=0)
    at eval.c:3117
#12 0x00005555555f7fd6 in eval5 (arg=0x7fffffffb2e0, rettv=0x7fffffffb340, evalarg=0x7fffffffb350) at eval.c:2880
#13 0x00005555555f7af5 in eval4 (arg=0x7fffffffb2e0, rettv=0x7fffffffb340, evalarg=0x7fffffffb350) at eval.c:2733
#14 0x00005555555f7611 in eval3 (arg=0x7fffffffb2e0, rettv=0x7fffffffb340, evalarg=0x7fffffffb350) at eval.c:2594
#15 0x00005555555f7146 in eval2 (arg=0x7fffffffb2e0, rettv=0x7fffffffb340, evalarg=0x7fffffffb350) at eval.c:2468
#16 0x00005555555f6a0e in eval1 (arg=0x7fffffffb2e0, rettv=0x7fffffffb340, evalarg=0x7fffffffb350) at eval.c:2314
#17 0x00005555555f67a8 in eval0
    (arg=0x5555559718e4 "Crash()", rettv=0x7fffffffb340, eap=0x7fffffffb490, evalarg=0x7fffffffb350) at eval.c:2233
#18 0x000055555563a18a in ex_eval (eap=0x7fffffffb490) at ex_eval.c:940
#19 0x000055555562b4dd in do_one_cmd (cmdlinep=0x7fffffffb6c0, flags=7, cstack=0x7fffffffb7a0, fgetline=
    0x555555766920 <getsourceline>, cookie=0x7fffffffbef0) at ex_docmd.c:2572
#20 0x0000555555628705 in do_cmdline (cmdline=0x555555971fc0 "    vim9script", fgetline=
    0x555555766920 <getsourceline>, cookie=0x7fffffffbef0, flags=7) at ex_docmd.c:994
#21 0x0000555555765f18 in do_source (fname=0x5555559a56a7 "/tmp/crash.vim", check_other=0, is_vimrc=0, ret_sid=0x0)
    at scriptfile.c:1420
#22 0x0000555555765162 in cmd_source (fname=0x5555559a56a7 "/tmp/crash.vim", eap=0x7fffffffc060) at scriptfile.c:985
#23 0x0000555555765240 in ex_source (eap=0x7fffffffc060) at scriptfile.c:1011
#24 0x000055555562b4dd in do_one_cmd (cmdlinep=0x7fffffffc290, flags=11, cstack=0x7fffffffc370, fgetline=
    0x0, cookie=0x0) at ex_docmd.c:2572
#25 0x0000555555628705 in do_cmdline (cmdline=0x7fffffffd12f "source /tmp/crash.vim", fgetline=
    0x0, cookie=0x0, flags=11) at ex_docmd.c:994
#26 0x0000555555627b90 in do_cmdline_cmd (cmd=0x7fffffffd12f "source /tmp/crash.vim") at ex_docmd.c:588
#27 0x000055555589a134 in exe_pre_commands (parmp=0x5555559646c0 <params>) at main.c:3045
#28 0x000055555589635b in main (argc=5, argv=0x7fffffffcb58) at main.c:411

Valgrind log:

==343816== Memcheck, a memory error detector
==343816== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==343816== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==343816== Command: ./src/vim -Nu NONE --cmd source\ /tmp/crash.vim
==343816== Parent PID: 322418
==343816== 
==343816== Invalid read of size 8
==343816==    at 0x3C9A0A: handle_debug (vim9execute.c:1665)
==343816==    by 0x3D28D2: exec_instructions (vim9execute.c:4638)
==343816==    by 0x3D3C50: call_def_function (vim9execute.c:5043)
==343816==    by 0x3B0FB0: call_user_func (userfunc.c:2522)
==343816==    by 0x3B222B: call_user_func_check (userfunc.c:2916)
==343816==    by 0x3B33D0: call_func (userfunc.c:3447)
==343816==    by 0x3AF7FE: get_func_tv (userfunc.c:1767)
==343816==    by 0x1AA77C: eval_func (eval.c:2019)
==343816==    by 0x1ADCD6: eval7 (eval.c:3627)
==343816==    by 0x1AD3AB: eval7t (eval.c:3325)
==343816==    by 0x1ACE03: eval6 (eval.c:3117)
==343816==    by 0x1AC54F: eval5 (eval.c:2880)
==343816==    by 0x1AC06E: eval4 (eval.c:2733)
==343816==    by 0x1ABB8A: eval3 (eval.c:2594)
==343816==    by 0x1AB6BF: eval2 (eval.c:2468)
==343816==    by 0x1AAF87: eval1 (eval.c:2314)
==343816==    by 0x1AAD21: eval0 (eval.c:2233)
==343816==    by 0x1EE8AC: ex_eval (ex_eval.c:940)
==343816==    by 0x1DFBA8: do_one_cmd (ex_docmd.c:2572)
==343816==    by 0x1DCDD0: do_cmdline (ex_docmd.c:994)
==343816==    by 0x31AC93: do_source (scriptfile.c:1420)
==343816==    by 0x319EDD: cmd_source (scriptfile.c:985)
==343816==    by 0x319FBB: ex_source (scriptfile.c:1011)
==343816==    by 0x1DFBA8: do_one_cmd (ex_docmd.c:2572)
==343816==    by 0x1DCDD0: do_cmdline (ex_docmd.c:994)
==343816==    by 0x1DC25B: do_cmdline_cmd (ex_docmd.c:588)
==343816==    by 0x44F56D: exe_pre_commands (main.c:3045)
==343816==    by 0x44B794: main (main.c:411)
==343816==  Address 0x63bc810 is 0 bytes after a block of size 80 alloc'd
==343816==    at 0x483B723: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==343816==    by 0x483E017: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==343816==    by 0x14D3DC: ga_grow_inner (alloc.c:735)
==343816==    by 0x14D352: ga_grow (alloc.c:714)
==343816==    by 0x3AD787: get_function_body (userfunc.c:1032)
==343816==    by 0x3B55BC: define_function (userfunc.c:4331)
==343816==    by 0x3B63CD: ex_function (userfunc.c:4639)
==343816==    by 0x1DFBA8: do_one_cmd (ex_docmd.c:2572)
==343816==    by 0x1DCDD0: do_cmdline (ex_docmd.c:994)
==343816==    by 0x31AC93: do_source (scriptfile.c:1420)
==343816==    by 0x319EDD: cmd_source (scriptfile.c:985)
==343816==    by 0x319FBB: ex_source (scriptfile.c:1011)
==343816==    by 0x1DFBA8: do_one_cmd (ex_docmd.c:2572)
==343816==    by 0x1DCDD0: do_cmdline (ex_docmd.c:994)
==343816==    by 0x1DC25B: do_cmdline_cmd (ex_docmd.c:588)
==343816==    by 0x44F56D: exe_pre_commands (main.c:3045)
==343816==    by 0x44B794: main (main.c:411)
==343816== 
==343816== 
==343816== HEAP SUMMARY:
==343816==     in use at exit: 172,396 bytes in 636 blocks
==343816==   total heap usage: 5,180 allocs, 4,544 frees, 1,462,831 bytes allocated

Asan log:

=================================================================
==338079==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000001420 at pc 0x557bf80d0d59 bp 0x7ffe98dce370 sp 0x7ffe98dce360
READ of size 8 at 0x607000001420 thread T0
    #0 0x557bf80d0d58 in handle_debug /home/lgc/Vcs/vim/src/vim9execute.c:1665
    #1 0x557bf8101dca in exec_instructions /home/lgc/Vcs/vim/src/vim9execute.c:4638
    #2 0x557bf81088f8 in call_def_function /home/lgc/Vcs/vim/src/vim9execute.c:5043
    #3 0x557bf805cc2b in call_user_func /home/lgc/Vcs/vim/src/userfunc.c:2522
    #4 0x557bf80628c1 in call_user_func_check /home/lgc/Vcs/vim/src/userfunc.c:2916
    #5 0x557bf8066e62 in call_func /home/lgc/Vcs/vim/src/userfunc.c:3447
    #6 0x557bf80552c9 in get_func_tv /home/lgc/Vcs/vim/src/userfunc.c:1767
    #7 0x557bf7783773 in eval_func /home/lgc/Vcs/vim/src/eval.c:2019
    #8 0x557bf7790872 in eval7 /home/lgc/Vcs/vim/src/eval.c:3627
    #9 0x557bf778e2c1 in eval7t /home/lgc/Vcs/vim/src/eval.c:3325
    #10 0x557bf778c9a8 in eval6 /home/lgc/Vcs/vim/src/eval.c:3117
    #11 0x557bf778aad7 in eval5 /home/lgc/Vcs/vim/src/eval.c:2880
    #12 0x557bf778976d in eval4 /home/lgc/Vcs/vim/src/eval.c:2733
    #13 0x557bf778867b in eval3 /home/lgc/Vcs/vim/src/eval.c:2594
    #14 0x557bf77875f3 in eval2 /home/lgc/Vcs/vim/src/eval.c:2468
    #15 0x557bf7785bf8 in eval1 /home/lgc/Vcs/vim/src/eval.c:2314
    #16 0x557bf7785338 in eval0 /home/lgc/Vcs/vim/src/eval.c:2233
    #17 0x557bf78a4a04 in ex_eval /home/lgc/Vcs/vim/src/ex_eval.c:940
    #18 0x557bf78595e1 in do_one_cmd /home/lgc/Vcs/vim/src/ex_docmd.c:2572
    #19 0x557bf784d0b4 in do_cmdline /home/lgc/Vcs/vim/src/ex_docmd.c:994
    #20 0x557bf7dc3f1f in do_source /home/lgc/Vcs/vim/src/scriptfile.c:1420
    #21 0x557bf7dc0b21 in cmd_source /home/lgc/Vcs/vim/src/scriptfile.c:985
    #22 0x557bf7dc0cde in ex_source /home/lgc/Vcs/vim/src/scriptfile.c:1011
    #23 0x557bf78595e1 in do_one_cmd /home/lgc/Vcs/vim/src/ex_docmd.c:2572
    #24 0x557bf784d0b4 in do_cmdline /home/lgc/Vcs/vim/src/ex_docmd.c:994
    #25 0x557bf784ac46 in do_cmdline_cmd /home/lgc/Vcs/vim/src/ex_docmd.c:588
    #26 0x557bf8340ac7 in exe_pre_commands /home/lgc/Vcs/vim/src/main.c:3045
    #27 0x557bf8331e05 in main /home/lgc/Vcs/vim/src/main.c:411
    #28 0x7f58fbde50b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #29 0x557bf75c6dfd in _start (/home/lgc/Vcs/vim/src/vim+0x123fdfd)

0x607000001420 is located 0 bytes to the right of 80-byte region [0x6070000013d0,0x607000001420)
allocated by thread T0 here:
    #0 0x7f58fd8b8ffe in __interceptor_realloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dffe)
    #1 0x557bf75c8ef6 in ga_grow_inner /home/lgc/Vcs/vim/src/alloc.c:735
    #2 0x557bf75c8bad in ga_grow /home/lgc/Vcs/vim/src/alloc.c:714
    #3 0x557bf804c5d7 in get_function_body /home/lgc/Vcs/vim/src/userfunc.c:1032
    #4 0x557bf806f785 in define_function /home/lgc/Vcs/vim/src/userfunc.c:4331
    #5 0x557bf807397f in ex_function /home/lgc/Vcs/vim/src/userfunc.c:4639
    #6 0x557bf78595e1 in do_one_cmd /home/lgc/Vcs/vim/src/ex_docmd.c:2572
    #7 0x557bf784d0b4 in do_cmdline /home/lgc/Vcs/vim/src/ex_docmd.c:994
    #8 0x557bf7dc3f1f in do_source /home/lgc/Vcs/vim/src/scriptfile.c:1420
    #9 0x557bf7dc0b21 in cmd_source /home/lgc/Vcs/vim/src/scriptfile.c:985
    #10 0x557bf7dc0cde in ex_source /home/lgc/Vcs/vim/src/scriptfile.c:1011
    #11 0x557bf78595e1 in do_one_cmd /home/lgc/Vcs/vim/src/ex_docmd.c:2572
    #12 0x557bf784d0b4 in do_cmdline /home/lgc/Vcs/vim/src/ex_docmd.c:994
    #13 0x557bf784ac46 in do_cmdline_cmd /home/lgc/Vcs/vim/src/ex_docmd.c:588
    #14 0x557bf8340ac7 in exe_pre_commands /home/lgc/Vcs/vim/src/main.c:3045
    #15 0x557bf8331e05 in main /home/lgc/Vcs/vim/src/main.c:411
    #16 0x7f58fbde50b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lgc/Vcs/vim/src/vim9execute.c:1665 in handle_debug
Shadow bytes around the buggy address:
  0x0c0e7fff8230: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa fa
  0x0c0e7fff8240: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0e7fff8250: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
  0x0c0e7fff8260: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0e7fff8270: 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 00 00
=>0x0c0e7fff8280: 00 00 00 00[fa]fa fa fa fd fd fd fd fd fd fd fd
  0x0c0e7fff8290: fd fd fa fa fa fa 00 00 00 00 00 00 00 00 02 fa
  0x0c0e7fff82a0: fa fa fa fa 00 00 00 00 00 00 00 00 00 06 fa fa
  0x0c0e7fff82b0: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0e7fff82c0: 00 00 00 00 00 00 00 00 00 01 fa fa fa fa 00 00
  0x0c0e7fff82d0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==338079==ABORTING
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lacygoill