fold-delete-marker SEGV fix

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

fold-delete-marker SEGV fix

Lech Lorens
Problem:
The cursor position is not updated after deleting a fold based on
markers. This results in an invalid memory reference in some scenarios.

How to reproduce:
In normal mode perform zRgg$zdaa while editing a file with the following
contents:
[[[
blah blah blah
]]]
vim: fdm=marker fmr=[[[,]]]

Fix:
The attached patch seems to fix the problem.

--
Cheers,
Lech

--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---


*** src/.svn/text-base/fold.c.svn-base 2008-12-01 00:34:32.000000000 +0100
--- src/fold.c 2008-12-18 00:41:52.000000000 +0100
***************
*** 748,753 ****
--- 748,754 ----
      int did_one = FALSE;
      linenr_T first_lnum = MAXLNUM;
      linenr_T last_lnum = 0;
+     colnr_T len;
 
      checkupdate(curwin);
 
***************
*** 802,807 ****
--- 803,814 ----
     changed_window_setting();
  }
      }
+     len = (colnr_T)STRLEN(ml_get_curline());
+     if(curwin->w_cursor.col >= len)
+     {
+ curwin->w_cursor.col = (colnr_T)(len? len - 1: 0);
+ changed_cline_bef_curs();
+     }
      if (!did_one)
      {
  EMSG(_(e_nofold));
Reply | Threaded
Open this post in threaded view
|

Re: fold-delete-marker SEGV fix

Dominique Pellé

Lech Lorens skribis:

> Problem:
> The cursor position is not updated after deleting a fold based on
> markers. This results in an invalid memory reference in some scenarios.
>
> How to reproduce:
> In normal mode perform zRgg$zdaa while editing a file with the following
> contents:
> [[[
> blah blah blah
> ]]]
> vim: fdm=marker fmr=[[[,]]]
>
> Fix:
> The attached patch seems to fix the problem.


I can reproduce the bug that you describe with vim-7.2.69.
Although it does not crash for me, just after typing
'zd' in 'zRgg$zdaa' valgrind reports the following error:

==15028== Invalid read of size 1
==15028==    at 0x813F67B: utf_head_off (mbyte.c:2498)
==15028==    by 0x813FDF5: mb_adjustpos (mbyte.c:2791)
==15028==    by 0x813FDA2: mb_adjust_cursor (mbyte.c:2771)
==15028==    by 0x81439CB: normal_cmd (normal.c:1339)
==15028==    by 0x8106A71: main_loop (main.c:1180)
==15028==    by 0x81065BE: main (main.c:939)
==15028==  Address 0x677bc71 is 1 bytes after a block of size 4,096 alloc'd
==15028==    at 0x4025D2E: malloc (vg_replace_malloc.c:207)
==15028==    by 0x8133F88: lalloc (misc2.c:859)
==15028==    by 0x8133EA4: alloc (misc2.c:758)
==15028==    by 0x8113D37: mf_alloc_bhdr (memfile.c:973)
==15028==    by 0x8113357: mf_new (memfile.c:395)
==15028==    by 0x8119235: ml_new_data (memline.c:3164)
==15028==    by 0x811484B: ml_open (memline.c:373)
==15028==    by 0x8073C80: open_buffer (buffer.c:85)
==15028==    by 0x810863B: create_windows (main.c:2483)
==15028==    by 0x8106351: main (main.c:798)

I confirm that your patch fixes it.

-- Dominique

--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: fold-delete-marker SEGV fix

Bram Moolenaar
In reply to this post by Lech Lorens


Lech Lorens wrote:

> Problem:
> The cursor position is not updated after deleting a fold based on
> markers. This results in an invalid memory reference in some scenarios.
>
> How to reproduce:
> In normal mode perform zRgg$zdaa while editing a file with the following
> contents:
> [[[
> blah blah blah
> ]]]
> vim: fdm=marker fmr=[[[,]]]
>
> Fix:
> The attached patch seems to fix the problem.

Thanks!  I'll put it at the top of my todo list.

--
Q: Why does /dev/null accept only integers?
A: You can't sink a float.

 /// Bram Moolenaar -- [hidden email] -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\        download, build and distribute -- http://www.A-A-P.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///

--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: fold-delete-marker SEGV fix

Patrick Texier-2
In reply to this post by Dominique Pellé

On Thu, 18 Dec 2008 20:45:02 +0100, Dominique Pelle wrote:

> I can reproduce the bug that you describe with vim-7.2.69.

On Windows 98, gVim 7.2.69 crashes:

GVIM a causé une défaillance de page dans
 le module GVIM.EXE à 0167:0051b586.

> I confirm that your patch fixes it.

Yes.
--
Patrick Texier

--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: fold-delete-marker SEGV fix

Dominique Pellé
In reply to this post by Dominique Pellé

Dominique Pelle wrote:

> Lech Lorens skribis:
>
>> Problem:
>> The cursor position is not updated after deleting a fold based on
>> markers. This results in an invalid memory reference in some scenarios.
>>
>> How to reproduce:
>> In normal mode perform zRgg$zdaa while editing a file with the following
>> contents:
>> [[[
>> blah blah blah
>> ]]]
>> vim: fdm=marker fmr=[[[,]]]
>>
>> Fix:
>> The attached patch seems to fix the problem.
>
>
> I can reproduce the bug that you describe with vim-7.2.69.
> Although it does not crash for me, just after typing
> 'zd' in 'zRgg$zdaa' valgrind reports the following error:
>
> ==15028== Invalid read of size 1
> ==15028==    at 0x813F67B: utf_head_off (mbyte.c:2498)
> ==15028==    by 0x813FDF5: mb_adjustpos (mbyte.c:2791)
> ==15028==    by 0x813FDA2: mb_adjust_cursor (mbyte.c:2771)
> ==15028==    by 0x81439CB: normal_cmd (normal.c:1339)
> ==15028==    by 0x8106A71: main_loop (main.c:1180)
> ==15028==    by 0x81065BE: main (main.c:939)
> ==15028==  Address 0x677bc71 is 1 bytes after a block of size 4,096 alloc'd
> ==15028==    at 0x4025D2E: malloc (vg_replace_malloc.c:207)
> ==15028==    by 0x8133F88: lalloc (misc2.c:859)
> ==15028==    by 0x8133EA4: alloc (misc2.c:758)
> ==15028==    by 0x8113D37: mf_alloc_bhdr (memfile.c:973)
> ==15028==    by 0x8113357: mf_new (memfile.c:395)
> ==15028==    by 0x8119235: ml_new_data (memline.c:3164)
> ==15028==    by 0x811484B: ml_open (memline.c:373)
> ==15028==    by 0x8073C80: open_buffer (buffer.c:85)
> ==15028==    by 0x810863B: create_windows (main.c:2483)
> ==15028==    by 0x8106351: main (main.c:798)
>
> I confirm that your patch fixes it.
>
> -- Dominique


Actually, testing a bit further, although your patch fixes
something (the valgrind error, and the crash for you),  I still
observe something wrong.

I can reproduce the E38 error all the time. According to ":help E38"
it's an internal error (i.e. bug in Vim):

===============================================
                                                        *E38*  >
  Null argument

Something inside Vim went wrong and resulted in a NULL pointer.  If you know
how to reproduce this problem, please report it. |bugs|
============================================

Steps to reproduce:

1/ use following test.txt sample file:

$ cat test.txt
[[[
blah blah blah
]]]
vim: fdm=marker fmr=[[[,]]]

2/ start vim:

$ vim test.txt

3/  In Normal command mode, type:

ggA [[[<esc>zdu

After tying zd, I observe one folded line with nothing in it (which is already
wrong). Then when pressing 'u' for undo, I get the E38 error.  Also, the
content of the file looks wrong after doing undo.  Whenever, I move the
cursor, I see E38.

It happens with vim-7.2.69 with and without patch for fold.c

-- Dominique

--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---

Reply | Threaded
Open this post in threaded view
|

Re: fold-delete-marker SEGV fix

Lech Lorens

Dnia 19-12-2008 Dominique Pelle <[hidden email]> pisze:
> Actually, testing a bit further, although your patch fixes
> something (the valgrind error, and the crash for you),  I still
> observe something wrong.
>
> I can reproduce the E38 error all the time. According to ":help E38"
> it's an internal error (i.e. bug in Vim):
>
[...]
>
> After tying zd, I observe one folded line with nothing in it (which is already
> wrong). Then when pressing 'u' for undo, I get the E38 error.  Also, the
> content of the file looks wrong after doing undo.  Whenever, I move the
> cursor, I see E38.
>
> It happens with vim-7.2.69 with and without patch for fold.c

I looked into the problem and hope to find some time tomorrow in the
morning to fix it. Additionally I found and solved another fold-related
problem.

--
Cheers,
Lech

--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---