Loading ...
Sorry, an error occurred while loading the content.
 

Re: [patch] fixed uninitialized memory access in i_CTRL-X_s (spell suggestion)

Expand Messages
  • Dominique Pellé
    ... Hi I still see other Valgrind errors with spell suggestion with Vim-7.2.446 and Vim-7.3c (2448:943280505f72) when doing: $ valgrind --num-callers=50
    Message 1 of 5 , Aug 1, 2010
      Dominique Pellé <dominique.pelle@...>:

      > Hi
      >
      > Valgrind detects access to uninitialized memory in both Vim-7.2.446 and
      > Vim-7.3.c BETA (2448:943280505f72) with the i_CTRL-X_s feature: spell
      > suggestion of word in front of cursor. It happens when word in front of
      > cursor is only 1 letter long and a vowel.  I think that vowels are ignored
      > in the Soundex algorithm so variable goodsound at spell.c:14758 is an
      > empty string and goodsound[1] is accessed (beyond end of string).
      >
      > Steps to reproduce:
      >
      > 1) Run:
      >
      > $ valgrind --num-callers=50 --track-origins=yes 2> vg.log \
      >  vim -u NONE -c 'set spell' -c 'call feedkeys("aa\<C-X>s")'
      >
      > 2) Observe following error in vg.log:
      >
      > ==3666== Conditional jump or move depends on uninitialised value(s)
      > ==3666==    at 0x81A000B: soundalike_score (spell.c:14758)
      > ==3666==    by 0x819CC0C: stp_sal_score (spell.c:13142)
      > ==3666==    by 0x819E3F2: rescore_one (spell.c:13923)
      > ==3666==    by 0x819E2EC: rescore_suggestions (spell.c:13896)
      > ==3666==    by 0x8197186: spell_suggest_intern (spell.c:10791)
      > ==3666==    by 0x8196D66: spell_find_suggest (spell.c:10641)
      > ==3666==    by 0x81966EB: spell_suggest_list (spell.c:10494)
      > ==3666==    by 0x81A24D5: expand_spelling (spell.c:16021)
      > ==3666==    by 0x806AD86: ins_compl_get_exp (edit.c:4163)
      > ==3666==    by 0x806B7CB: ins_compl_next (edit.c:4506)
      > ==3666==    by 0x806CA13: ins_complete (edit.c:5139)
      > ==3666==    by 0x80669EC: edit (edit.c:1366)
      > ==3666==    by 0x813427C: invoke_edit (normal.c:9024)
      > ==3666==    by 0x8134222: nv_edit (normal.c:8997)
      > ==3666==    by 0x8127BFB: normal_cmd (normal.c:1190)
      > ==3666==    by 0x80E8ECF: main_loop (main.c:1260)
      > ==3666==    by 0x80E8904: main (main.c:965)
      > ==3666==  Uninitialised value was created by a stack allocation
      > ==3666==    at 0x819C9BB: stp_sal_score (spell.c:13096)


      Hi

      I still see other Valgrind errors with spell suggestion with
      Vim-7.2.446 and Vim-7.3c (2448:943280505f72) when doing:

      $ valgrind --num-callers=50 --track-origins=yes 2> vg.log \
      vim -u NONE -c 'set spell|call feedkeys("i,,\<C-X>s")'

      ==4200== Conditional jump or move depends on uninitialised value(s)
      ==4200== at 0x8123C84: utf_head_off (mbyte.c:3290)
      ==4200== by 0x8198E00: suggest_trie_walk (spell.c:11666)
      ==4200== by 0x8197E64: suggest_try_change (spell.c:11229)
      ==4200== by 0x8197100: spell_suggest_intern (spell.c:10777)
      ==4200== by 0x8196D1E: spell_find_suggest (spell.c:10641)
      ==4200== by 0x81966A3: spell_suggest_list (spell.c:10494)
      ==4200== by 0x81A248D: expand_spelling (spell.c:16021)
      ==4200== by 0x806AD4E: ins_compl_get_exp (edit.c:4163)
      ==4200== by 0x806B793: ins_compl_next (edit.c:4506)
      ==4200== by 0x806C9DB: ins_complete (edit.c:5139)
      ==4200== by 0x80669B4: edit (edit.c:1366)
      ==4200== by 0x8134208: invoke_edit (normal.c:9024)
      ==4200== by 0x81341AE: nv_edit (normal.c:8997)
      ==4200== by 0x8127B87: normal_cmd (normal.c:1190)
      ==4200== by 0x80E8E97: main_loop (main.c:1260)
      ==4200== by 0x80E88CC: main (main.c:965)
      ==4200== Uninitialised value was created by a stack allocation
      ==4200== at 0x8197D56: suggest_try_change (spell.c:11204)

      Attached new patch fixes it but don't think it's ideal
      since giving spell suggestion when only typing punctuation
      does not make much sense.

      -- Dominique

      --
      You received this message from the "vim_dev" maillist.
      Do not top-post! Type your reply below the text you are replying to.
      For more information, visit http://www.vim.org/maillist.php
    • Bram Moolenaar
      ... I could see it happen when finding a suggestion for the word u . Some of the alternatives, such as W or Y have an empty soundfold result. I think
      Message 2 of 5 , Aug 1, 2010
        Dominique Pelle wrote:

        > Valgrind detects access to uninitialized memory in both Vim-7.2.446 and
        > Vim-7.3.c BETA (2448:943280505f72) with the i_CTRL-X_s feature: spell
        > suggestion of word in front of cursor. It happens when word in front of
        > cursor is only 1 letter long and a vowel. I think that vowels are ignored
        > in the Soundex algorithm so variable goodsound at spell.c:14758 is an
        > empty string and goodsound[1] is accessed (beyond end of string).
        >
        > Steps to reproduce:
        >
        > 1) Run:
        >
        > $ valgrind --num-callers=50 --track-origins=yes 2> vg.log \
        > vim -u NONE -c 'set spell' -c 'call feedkeys("aa\<C-X>s")'
        >
        > 2) Observe following error in vg.log:
        >
        > ==3666== Conditional jump or move depends on uninitialised value(s)
        > ==3666== at 0x81A000B: soundalike_score (spell.c:14758)
        > ==3666== by 0x819CC0C: stp_sal_score (spell.c:13142)
        > ==3666== by 0x819E3F2: rescore_one (spell.c:13923)
        > ==3666== by 0x819E2EC: rescore_suggestions (spell.c:13896)
        > ==3666== by 0x8197186: spell_suggest_intern (spell.c:10791)
        > ==3666== by 0x8196D66: spell_find_suggest (spell.c:10641)
        > ==3666== by 0x81966EB: spell_suggest_list (spell.c:10494)
        > ==3666== by 0x81A24D5: expand_spelling (spell.c:16021)
        > ==3666== by 0x806AD86: ins_compl_get_exp (edit.c:4163)
        > ==3666== by 0x806B7CB: ins_compl_next (edit.c:4506)
        > ==3666== by 0x806CA13: ins_complete (edit.c:5139)
        > ==3666== by 0x80669EC: edit (edit.c:1366)
        > ==3666== by 0x813427C: invoke_edit (normal.c:9024)
        > ==3666== by 0x8134222: nv_edit (normal.c:8997)
        > ==3666== by 0x8127BFB: normal_cmd (normal.c:1190)
        > ==3666== by 0x80E8ECF: main_loop (main.c:1260)
        > ==3666== by 0x80E8904: main (main.c:965)
        > ==3666== Uninitialised value was created by a stack allocation
        > ==3666== at 0x819C9BB: stp_sal_score (spell.c:13096)
        >
        > Attached patch fixes it, but please review it as I can't say
        > that understand all details of the soundalike algorithm.

        I could see it happen when finding a suggestion for the word "u".
        Some of the alternatives, such as "W" or "Y" have an empty soundfold
        result.

        I think changing "*" to empty deserves a score of SCORE_DEL. If there
        is more after the "*" then SCORE_MAXMAX seems appropriate.
        I'll make it work like that.

        --
        I once paid $12 to peer at the box that held King Tutankhamen's little
        bandage-covered midget corpse at the De Young Museum in San Francisco. I
        remember thinking how pleased he'd be about the way things turned out in his
        afterlife.
        (Scott Adams - The Dilbert principle)

        /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
        /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
        \\\ download, build and distribute -- http://www.A-A-P.org ///
        \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

        --
        You received this message from the "vim_dev" maillist.
        Do not top-post! Type your reply below the text you are replying to.
        For more information, visit http://www.vim.org/maillist.php
      • Bram Moolenaar
        ... Thanks. I ll include it as is. While trying to reproduce this I encountered a crash: Soundfolding breaks on a 0x300 character. Perhaps there are a few
        Message 3 of 5 , Aug 1, 2010
          Dominique Pelle wrote:

          > I still see other Valgrind errors with spell suggestion with
          > Vim-7.2.446 and Vim-7.3c (2448:943280505f72) when doing:
          >
          > $ valgrind --num-callers=50 --track-origins=yes 2> vg.log \
          > vim -u NONE -c 'set spell|call feedkeys("i,,\<C-X>s")'
          >
          > ==4200== Conditional jump or move depends on uninitialised value(s)
          > ==4200== at 0x8123C84: utf_head_off (mbyte.c:3290)
          > ==4200== by 0x8198E00: suggest_trie_walk (spell.c:11666)
          > ==4200== by 0x8197E64: suggest_try_change (spell.c:11229)
          > ==4200== by 0x8197100: spell_suggest_intern (spell.c:10777)
          > ==4200== by 0x8196D1E: spell_find_suggest (spell.c:10641)
          > ==4200== by 0x81966A3: spell_suggest_list (spell.c:10494)
          > ==4200== by 0x81A248D: expand_spelling (spell.c:16021)
          > ==4200== by 0x806AD4E: ins_compl_get_exp (edit.c:4163)
          > ==4200== by 0x806B793: ins_compl_next (edit.c:4506)
          > ==4200== by 0x806C9DB: ins_complete (edit.c:5139)
          > ==4200== by 0x80669B4: edit (edit.c:1366)
          > ==4200== by 0x8134208: invoke_edit (normal.c:9024)
          > ==4200== by 0x81341AE: nv_edit (normal.c:8997)
          > ==4200== by 0x8127B87: normal_cmd (normal.c:1190)
          > ==4200== by 0x80E8E97: main_loop (main.c:1260)
          > ==4200== by 0x80E88CC: main (main.c:965)
          > ==4200== Uninitialised value was created by a stack allocation
          > ==4200== at 0x8197D56: suggest_try_change (spell.c:11204)
          >
          > Attached new patch fixes it but don't think it's ideal
          > since giving spell suggestion when only typing punctuation
          > does not make much sense.

          Thanks. I'll include it as is.

          While trying to reproduce this I encountered a crash: Soundfolding
          breaks on a 0x300 character.

          Perhaps there are a few more bugs in this area...

          --
          Team-building exercises come in many forms but they all trace their roots back
          to the prison system. In your typical team-building exercise the employees
          are subjected to a variety of unpleasant situations until they become either a
          cohesive team or a ring of car jackers.
          (Scott Adams - The Dilbert principle)

          /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
          /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
          \\\ download, build and distribute -- http://www.A-A-P.org ///
          \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

          --
          You received this message from the "vim_dev" maillist.
          Do not top-post! Type your reply below the text you are replying to.
          For more information, visit http://www.vim.org/maillist.php
        • Tony Mechelynck
          ... U+0300 is a combining grave accent, its UTF-8 representation in hex is CC 80. Maybe Vim chokes on the 0x80 trailing byte? Any byte except the first in the
          Message 4 of 5 , Aug 1, 2010
            On 01/08/10 16:06, Bram Moolenaar wrote:
            >
            > Dominique Pelle wrote:
            >
            >> I still see other Valgrind errors with spell suggestion with
            >> Vim-7.2.446 and Vim-7.3c (2448:943280505f72) when doing:
            >>
            >> $ valgrind --num-callers=50 --track-origins=yes 2> vg.log \
            >> vim -u NONE -c 'set spell|call feedkeys("i,,\<C-X>s")'
            >>
            >> ==4200== Conditional jump or move depends on uninitialised value(s)
            >> ==4200== at 0x8123C84: utf_head_off (mbyte.c:3290)
            >> ==4200== by 0x8198E00: suggest_trie_walk (spell.c:11666)
            >> ==4200== by 0x8197E64: suggest_try_change (spell.c:11229)
            >> ==4200== by 0x8197100: spell_suggest_intern (spell.c:10777)
            >> ==4200== by 0x8196D1E: spell_find_suggest (spell.c:10641)
            >> ==4200== by 0x81966A3: spell_suggest_list (spell.c:10494)
            >> ==4200== by 0x81A248D: expand_spelling (spell.c:16021)
            >> ==4200== by 0x806AD4E: ins_compl_get_exp (edit.c:4163)
            >> ==4200== by 0x806B793: ins_compl_next (edit.c:4506)
            >> ==4200== by 0x806C9DB: ins_complete (edit.c:5139)
            >> ==4200== by 0x80669B4: edit (edit.c:1366)
            >> ==4200== by 0x8134208: invoke_edit (normal.c:9024)
            >> ==4200== by 0x81341AE: nv_edit (normal.c:8997)
            >> ==4200== by 0x8127B87: normal_cmd (normal.c:1190)
            >> ==4200== by 0x80E8E97: main_loop (main.c:1260)
            >> ==4200== by 0x80E88CC: main (main.c:965)
            >> ==4200== Uninitialised value was created by a stack allocation
            >> ==4200== at 0x8197D56: suggest_try_change (spell.c:11204)
            >>
            >> Attached new patch fixes it but don't think it's ideal
            >> since giving spell suggestion when only typing punctuation
            >> does not make much sense.
            >
            > Thanks. I'll include it as is.
            >
            > While trying to reproduce this I encountered a crash: Soundfolding
            > breaks on a 0x300 character.
            >
            > Perhaps there are a few more bugs in this area...
            >

            U+0300 is a combining grave accent, its UTF-8 representation in hex is
            CC 80. Maybe Vim chokes on the 0x80 trailing byte? Any byte except the
            first in the UTF-8 representation of a Unicode codepoint may have that
            value without being in any way "special".

            As a reminder, UTF-8 strictly segregates the values bytes may have, as
            follows:

            00-7F single bytes
            80-BF trailing bytes (any but the first) in a multibyte sequence
            C0-DF first byte in a 2-byte sequence
            E0-EF first byte in a 3-byte sequence
            F0-F7 first byte in a 4-byte sequence
            F8-FB first byte in a 5-byte sequence
            FC-FD first byte in a 6-byte sequence
            FE-FF invalid

            In addition, the Unicode Consortium has decided that no codepoint will
            ever be accepted above U+10FFFD, not even for private use, and that
            "overlong sequences" are not to be tolerated; this makes byte values F5
            and above "invalid for interchange".


            Best regards,
            Tony.
            --
            Economics, n.:
            Economics is the study of the value and meaning of J. K.
            Galbraith ...
            -- Mike Harding, "The Armchair Anarchist's Almanac"

            --
            You received this message from the "vim_dev" maillist.
            Do not top-post! Type your reply below the text you are replying to.
            For more information, visit http://www.vim.org/maillist.php
          Your message has been successfully submitted and would be delivered to recipients shortly.