Loading ...
Sorry, an error occurred while loading the content.

NFA-regexp problem in Vim 7.3.1255

Expand Messages
  • Ingo Karkat
    Hello Vim developers, I recently started using latest Vim builds with the new NFA-engine enabled, and I immediately noticed discrepancies when using my
    Message 1 of 4 , Jun 28, 2013
    • 0 Attachment
      Hello Vim developers,

      I recently started using latest Vim builds with the new NFA-engine
      enabled, and I immediately noticed discrepancies when using my personal
      fork of the popular snipMate plugin
      (https://github.com/inkarkat/snipMate.vim). I've reduced the problem to
      the following scriptlet (also attached as snipMate-re-bug.vim):

      #v+
      fun! Unescape(text, what)
      return substitute(a:text, '\%(\%(^\|[^\\]\)\%(\\\\\)*\\\)\@<!\\\ze' . a:what, '', 'g')
      endf

      echo substitute('${2}Maintainer: Foo Bar <${1:foo@...}>${3}', '\%(\%(^\|[^\\]\)\%(\\\\\)*\\\)\@<!${\d\+:\(.\{-}\%(\%(^\|[^\\]\)\%(\\\\\)*\\\)\@<!\)}' , '\=submatch(0) . Unescape(submatch(1), "}")', 'g')
      #v-

      Steps to reproduce:
      $ vim -N -u NONE snipMate-re-bug.vim
      :so %
      This yields the wrong (unmodified):
      ,----
      | ${2}Maintainer: Foo Bar <${1:foo@...}>${3}
      `----
      When I switch to the old regexp engine
      :set re=1
      I get the expected, correct result:
      ,----
      | ${2}Maintainer: Foo Bar <${1:foo@...}foo@...>${3}
      `----

      Additionally, when I do
      :syntax on
      :so %
      I receive an out of memory error (most of the time):
      ,----
      | Error detected while processing /tmp/snipMate-re-bug.vim:
      | line 5:
      | E342: Out of memory! (allocating 4270043459 bytes)
      | ${2}Maintainer: Foo Bar <${1:foo@...}>${3}
      `----

      This out of memory also happens when I use the full plugin normally.
      Very rarely, Vim crashes after the out of memory.

      This is with a huge build of Vim 7.3.1255, running in an Ubuntu 13.04
      x64 VM. See attached version.log for more info. Let me know if you need
      more details.

      -- regards, ingo
      --
      -- Ingo Karkat -- /^-- /^-- /^-- /^-- /^-- /^-- http://ingo-karkat.de/ --
      -- http://vim.sourceforge.net/account/profile.php?user_id=9713 --

      --
      --
      You received this message from the "vim_dev" maillist.
      Do not top-post! Type your reply below the text you are replying to.
      For more information, visit http://www.vim.org/maillist.php

      ---
      You received this message because you are subscribed to the Google Groups "vim_dev" group.
      To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
      For more options, visit https://groups.google.com/groups/opt_out.
    • Dominique PellĂ©
      ... Since 4270043459 is close to 2^32 = 4294967296, it looks like vim is trying to allocate a negative number. which is obviously a bug. Probaby something is
      Message 2 of 4 , Jun 28, 2013
      • 0 Attachment
        Ingo Karkat <swdev@...> wrote:

        > Hello Vim developers,
        >
        > I recently started using latest Vim builds with the new NFA-engine
        > enabled, and I immediately noticed discrepancies when using my personal
        > fork of the popular snipMate plugin
        > (https://github.com/inkarkat/snipMate.vim). I've reduced the problem to
        > the following scriptlet (also attached as snipMate-re-bug.vim):
        >
        > #v+
        > fun! Unescape(text, what)
        > return substitute(a:text, '\%(\%(^\|[^\\]\)\%(\\\\\)*\\\)\@<!\\\ze' . a:what, '', 'g')
        > endf
        >
        > echo substitute('${2}Maintainer: Foo Bar <${1:foo@...}>${3}', '\%(\%(^\|[^\\]\)\%(\\\\\)*\\\)\@<!${\d\+:\(.\{-}\%(\%(^\|[^\\]\)\%(\\\\\)*\\\)\@<!\)}' , '\=submatch(0) . Unescape(submatch(1), "}")', 'g')
        > #v-
        >
        > Steps to reproduce:
        > $ vim -N -u NONE snipMate-re-bug.vim
        > :so %
        > This yields the wrong (unmodified):
        > ,----
        > | ${2}Maintainer: Foo Bar <${1:foo@...}>${3}
        > `----
        > When I switch to the old regexp engine
        > :set re=1
        > I get the expected, correct result:
        > ,----
        > | ${2}Maintainer: Foo Bar <${1:foo@...}foo@...>${3}
        > `----
        >
        > Additionally, when I do
        > :syntax on
        > :so %
        > I receive an out of memory error (most of the time):
        > ,----
        > | Error detected while processing /tmp/snipMate-re-bug.vim:
        > | line 5:
        > | E342: Out of memory! (allocating 4270043459 bytes)
        > | ${2}Maintainer: Foo Bar <${1:foo@...}>${3}
        > `----
        >
        > This out of memory also happens when I use the full plugin normally.
        > Very rarely, Vim crashes after the out of memory.
        >
        > This is with a huge build of Vim 7.3.1255, running in an Ubuntu 13.04
        > x64 VM. See attached version.log for more info. Let me know if you need
        > more details.


        Since 4270043459 is close to 2^32 = 4294967296,
        it looks like vim is trying to allocate a negative number.
        which is obviously a bug. Probaby something is uninitialized.

        I could not reproduce the crash you describe.
        However, when running vim-7.3.1255 with:

        $ valgrind --log-file=vg.log \
        --num-callers=50 \
        --track-origins=yes \
        vim -N -u NONE snipMate-re-bug.vim

        I get the following error as soon as I do: :so %

        ==32418== Conditional jump or move depends on uninitialised value(s)
        ==32418== at 0x545631: reg_submatch (regexp.c:7892)
        ==32418== by 0x44DFAB: f_submatch (eval.c:17696)
        ==32418== by 0x43F7EE: call_func (eval.c:8530)
        ==32418== by 0x43F248: get_func_tv (eval.c:8343)
        ==32418== by 0x43AA9A: eval7 (eval.c:5153)
        ==32418== by 0x43A341: eval6 (eval.c:4805)
        ==32418== by 0x439EB0: eval5 (eval.c:4621)
        ==32418== by 0x4392AF: eval4 (eval.c:4314)
        ==32418== by 0x4390FC: eval3 (eval.c:4226)
        ==32418== by 0x438F7B: eval2 (eval.c:4155)
        ==32418== by 0x438DBA: eval1 (eval.c:4080)
        ==32418== by 0x43F1AC: get_func_tv (eval.c:8328)
        ==32418== by 0x43AA9A: eval7 (eval.c:5153)
        ==32418== by 0x43A341: eval6 (eval.c:4805)
        ==32418== by 0x439F8C: eval5 (eval.c:4657)
        ==32418== by 0x4392AF: eval4 (eval.c:4314)
        ==32418== by 0x4390FC: eval3 (eval.c:4226)
        ==32418== by 0x438F7B: eval2 (eval.c:4155)
        ==32418== by 0x438DBA: eval1 (eval.c:4080)
        ==32418== by 0x438D19: eval0 (eval.c:4037)
        ==32418== by 0x433D69: eval_to_string (eval.c:1348)
        ==32418== by 0x5448F5: vim_regsub_both (regexp.c:7482)
        ==32418== by 0x5446A6: vim_regsub (regexp.c:7383)
        ==32418== by 0x45A424: do_string_sub (eval.c:24286)
        ==32418== by 0x44E0AB: f_substitute (eval.c:17720)
        ==32418== by 0x43F7EE: call_func (eval.c:8530)
        ==32418== by 0x43F248: get_func_tv (eval.c:8343)
        ==32418== by 0x43AA9A: eval7 (eval.c:5153)
        ==32418== by 0x43A341: eval6 (eval.c:4805)
        ==32418== by 0x439EB0: eval5 (eval.c:4621)
        ==32418== by 0x4392AF: eval4 (eval.c:4314)
        ==32418== by 0x4390FC: eval3 (eval.c:4226)
        ==32418== by 0x438F7B: eval2 (eval.c:4155)
        ==32418== by 0x438DBA: eval1 (eval.c:4080)
        ==32418== by 0x45324C: ex_echo (eval.c:20858)
        ==32418== by 0x47217C: do_one_cmd (ex_docmd.c:2689)
        ==32418== by 0x46F710: do_cmdline (ex_docmd.c:1127)
        ==32418== by 0x46D428: do_source (ex_cmds2.c:3300)
        ==32418== by 0x46CB56: cmd_source (ex_cmds2.c:2909)
        ==32418== by 0x46CAA3: ex_source (ex_cmds2.c:2882)
        ==32418== by 0x47217C: do_one_cmd (ex_docmd.c:2689)
        ==32418== by 0x46F710: do_cmdline (ex_docmd.c:1127)
        ==32418== by 0x501DC2: nv_colon (normal.c:5457)
        ==32418== by 0x4FA8BC: normal_cmd (normal.c:1200)
        ==32418== by 0x5ED64E: main_loop (main.c:1329)
        ==32418== by 0x5ECF97: main (main.c:1020)
        ==32418== Uninitialised value was created by a heap allocation
        ==32418== at 0x4C2C78F: malloc (vg_replace_malloc.c:270)
        ==32418== by 0x4E795F: lalloc (misc2.c:929)
        ==32418== by 0x54F2B7: nfa_regmatch (regexp_nfa.c:4957)
        ==32418== by 0x5519F4: nfa_regtry (regexp_nfa.c:6214)
        ==32418== by 0x552065: nfa_regexec_both (regexp_nfa.c:6398)
        ==32418== by 0x552424: nfa_regexec_nl (regexp_nfa.c:6595)
        ==32418== by 0x55268A: vim_regexec_nl (regexp.c:8067)
        ==32418== by 0x45A5B4: do_string_sub (eval.c:24277)
        ==32418== by 0x44E0AB: f_substitute (eval.c:17720)
        ==32418== by 0x43F7EE: call_func (eval.c:8530)
        ==32418== by 0x43F248: get_func_tv (eval.c:8343)
        ==32418== by 0x43AA9A: eval7 (eval.c:5153)
        ==32418== by 0x43A341: eval6 (eval.c:4805)
        ==32418== by 0x439EB0: eval5 (eval.c:4621)
        ==32418== by 0x4392AF: eval4 (eval.c:4314)
        ==32418== by 0x4390FC: eval3 (eval.c:4226)
        ==32418== by 0x438F7B: eval2 (eval.c:4155)
        ==32418== by 0x438DBA: eval1 (eval.c:4080)
        ==32418== by 0x45324C: ex_echo (eval.c:20858)
        ==32418== by 0x47217C: do_one_cmd (ex_docmd.c:2689)
        ==32418== by 0x46F710: do_cmdline (ex_docmd.c:1127)
        ==32418== by 0x46D428: do_source (ex_cmds2.c:3300)
        ==32418== by 0x46CB56: cmd_source (ex_cmds2.c:2909)
        ==32418== by 0x46CAA3: ex_source (ex_cmds2.c:2882)
        ==32418== by 0x47217C: do_one_cmd (ex_docmd.c:2689)
        ==32418== by 0x46F710: do_cmdline (ex_docmd.c:1127)
        ==32418== by 0x501DC2: nv_colon (normal.c:5457)
        ==32418== by 0x4FA8BC: normal_cmd (normal.c:1200)
        ==32418== by 0x5ED64E: main_loop (main.c:1329)
        ==32418== by 0x5ECF97: main (main.c:1020)

        Code in regexp.c is:

        7889 else
        7890 {
        7891 s = submatch_match->startp[no];
        !!7892 if (s == NULL || submatch_match->endp[no] == NULL)
        7893 retval = NULL;
        7894 else
        7895 retval = vim_strnsave(s,
        (int)(submatch_match->endp[no] - s));
        7896 }

        Putting printf, I can see that 's' and 'no' are initialized,
        but submatch_match->endp[no] is not initialized.

        Dominique

        --
        --
        You received this message from the "vim_dev" maillist.
        Do not top-post! Type your reply below the text you are replying to.
        For more information, visit http://www.vim.org/maillist.php

        ---
        You received this message because you are subscribed to the Google Groups "vim_dev" group.
        To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
        For more options, visit https://groups.google.com/groups/opt_out.
      • Bram Moolenaar
        ... I think I found a solution. I ll send out a patch. Please check that this fixes your problem. -- A real patriot is the fellow who gets a parking ticket
        Message 3 of 4 , Jun 28, 2013
        • 0 Attachment
          Dominique Pelle wrote:

          > Ingo Karkat <swdev@...> wrote:
          >
          > > Hello Vim developers,
          > >
          > > I recently started using latest Vim builds with the new NFA-engine
          > > enabled, and I immediately noticed discrepancies when using my personal
          > > fork of the popular snipMate plugin
          > > (https://github.com/inkarkat/snipMate.vim). I've reduced the problem to
          > > the following scriptlet (also attached as snipMate-re-bug.vim):
          > >
          > > #v+
          > > fun! Unescape(text, what)
          > > return substitute(a:text, '\%(\%(^\|[^\\]\)\%(\\\\\)*\\\)\@<!\\\ze' . a:what, '', 'g')
          > > endf
          > >
          > > echo substitute('${2}Maintainer: Foo Bar <${1:foo@...}>${3}', '\%(\%(^\|[^\\]\)\%(\\\\\)*\\\)\@<!${\d\+:\(.\{-}\%(\%(^\|[^\\]\)\%(\\\\\)*\\\)\@<!\)}' , '\=submatch(0) . Unescape(submatch(1), "}")', 'g')
          > > #v-
          > >
          > > Steps to reproduce:
          > > $ vim -N -u NONE snipMate-re-bug.vim
          > > :so %
          > > This yields the wrong (unmodified):
          > > ,----
          > > | ${2}Maintainer: Foo Bar <${1:foo@...}>${3}
          > > `----
          > > When I switch to the old regexp engine
          > > :set re=1
          > > I get the expected, correct result:
          > > ,----
          > > | ${2}Maintainer: Foo Bar <${1:foo@...}foo@...>${3}
          > > `----
          > >
          > > Additionally, when I do
          > > :syntax on
          > > :so %
          > > I receive an out of memory error (most of the time):
          > > ,----
          > > | Error detected while processing /tmp/snipMate-re-bug.vim:
          > > | line 5:
          > > | E342: Out of memory! (allocating 4270043459 bytes)
          > > | ${2}Maintainer: Foo Bar <${1:foo@...}>${3}
          > > `----
          > >
          > > This out of memory also happens when I use the full plugin normally.
          > > Very rarely, Vim crashes after the out of memory.
          > >
          > > This is with a huge build of Vim 7.3.1255, running in an Ubuntu 13.04
          > > x64 VM. See attached version.log for more info. Let me know if you need
          > > more details.
          >
          >
          > Since 4270043459 is close to 2^32 = 4294967296,
          > it looks like vim is trying to allocate a negative number.
          > which is obviously a bug. Probaby something is uninitialized.
          >
          > I could not reproduce the crash you describe.
          > However, when running vim-7.3.1255 with:
          >
          > $ valgrind --log-file=vg.log \
          > --num-callers=50 \
          > --track-origins=yes \
          > vim -N -u NONE snipMate-re-bug.vim
          >
          > I get the following error as soon as I do: :so %
          >
          > ==32418== Conditional jump or move depends on uninitialised value(s)
          > ==32418== at 0x545631: reg_submatch (regexp.c:7892)
          > ==32418== by 0x44DFAB: f_submatch (eval.c:17696)
          > ==32418== by 0x43F7EE: call_func (eval.c:8530)
          > ==32418== by 0x43F248: get_func_tv (eval.c:8343)
          > ==32418== by 0x43AA9A: eval7 (eval.c:5153)
          > ==32418== by 0x43A341: eval6 (eval.c:4805)
          > ==32418== by 0x439EB0: eval5 (eval.c:4621)
          > ==32418== by 0x4392AF: eval4 (eval.c:4314)
          > ==32418== by 0x4390FC: eval3 (eval.c:4226)
          > ==32418== by 0x438F7B: eval2 (eval.c:4155)
          > ==32418== by 0x438DBA: eval1 (eval.c:4080)
          > ==32418== by 0x43F1AC: get_func_tv (eval.c:8328)
          > ==32418== by 0x43AA9A: eval7 (eval.c:5153)
          > ==32418== by 0x43A341: eval6 (eval.c:4805)
          > ==32418== by 0x439F8C: eval5 (eval.c:4657)
          > ==32418== by 0x4392AF: eval4 (eval.c:4314)
          > ==32418== by 0x4390FC: eval3 (eval.c:4226)
          > ==32418== by 0x438F7B: eval2 (eval.c:4155)
          > ==32418== by 0x438DBA: eval1 (eval.c:4080)
          > ==32418== by 0x438D19: eval0 (eval.c:4037)
          > ==32418== by 0x433D69: eval_to_string (eval.c:1348)
          > ==32418== by 0x5448F5: vim_regsub_both (regexp.c:7482)
          > ==32418== by 0x5446A6: vim_regsub (regexp.c:7383)
          > ==32418== by 0x45A424: do_string_sub (eval.c:24286)
          > ==32418== by 0x44E0AB: f_substitute (eval.c:17720)
          > ==32418== by 0x43F7EE: call_func (eval.c:8530)
          > ==32418== by 0x43F248: get_func_tv (eval.c:8343)
          > ==32418== by 0x43AA9A: eval7 (eval.c:5153)
          > ==32418== by 0x43A341: eval6 (eval.c:4805)
          > ==32418== by 0x439EB0: eval5 (eval.c:4621)
          > ==32418== by 0x4392AF: eval4 (eval.c:4314)
          > ==32418== by 0x4390FC: eval3 (eval.c:4226)
          > ==32418== by 0x438F7B: eval2 (eval.c:4155)
          > ==32418== by 0x438DBA: eval1 (eval.c:4080)
          > ==32418== by 0x45324C: ex_echo (eval.c:20858)
          > ==32418== by 0x47217C: do_one_cmd (ex_docmd.c:2689)
          > ==32418== by 0x46F710: do_cmdline (ex_docmd.c:1127)
          > ==32418== by 0x46D428: do_source (ex_cmds2.c:3300)
          > ==32418== by 0x46CB56: cmd_source (ex_cmds2.c:2909)
          > ==32418== by 0x46CAA3: ex_source (ex_cmds2.c:2882)
          > ==32418== by 0x47217C: do_one_cmd (ex_docmd.c:2689)
          > ==32418== by 0x46F710: do_cmdline (ex_docmd.c:1127)
          > ==32418== by 0x501DC2: nv_colon (normal.c:5457)
          > ==32418== by 0x4FA8BC: normal_cmd (normal.c:1200)
          > ==32418== by 0x5ED64E: main_loop (main.c:1329)
          > ==32418== by 0x5ECF97: main (main.c:1020)
          > ==32418== Uninitialised value was created by a heap allocation
          > ==32418== at 0x4C2C78F: malloc (vg_replace_malloc.c:270)
          > ==32418== by 0x4E795F: lalloc (misc2.c:929)
          > ==32418== by 0x54F2B7: nfa_regmatch (regexp_nfa.c:4957)
          > ==32418== by 0x5519F4: nfa_regtry (regexp_nfa.c:6214)
          > ==32418== by 0x552065: nfa_regexec_both (regexp_nfa.c:6398)
          > ==32418== by 0x552424: nfa_regexec_nl (regexp_nfa.c:6595)
          > ==32418== by 0x55268A: vim_regexec_nl (regexp.c:8067)
          > ==32418== by 0x45A5B4: do_string_sub (eval.c:24277)
          > ==32418== by 0x44E0AB: f_substitute (eval.c:17720)
          > ==32418== by 0x43F7EE: call_func (eval.c:8530)
          > ==32418== by 0x43F248: get_func_tv (eval.c:8343)
          > ==32418== by 0x43AA9A: eval7 (eval.c:5153)
          > ==32418== by 0x43A341: eval6 (eval.c:4805)
          > ==32418== by 0x439EB0: eval5 (eval.c:4621)
          > ==32418== by 0x4392AF: eval4 (eval.c:4314)
          > ==32418== by 0x4390FC: eval3 (eval.c:4226)
          > ==32418== by 0x438F7B: eval2 (eval.c:4155)
          > ==32418== by 0x438DBA: eval1 (eval.c:4080)
          > ==32418== by 0x45324C: ex_echo (eval.c:20858)
          > ==32418== by 0x47217C: do_one_cmd (ex_docmd.c:2689)
          > ==32418== by 0x46F710: do_cmdline (ex_docmd.c:1127)
          > ==32418== by 0x46D428: do_source (ex_cmds2.c:3300)
          > ==32418== by 0x46CB56: cmd_source (ex_cmds2.c:2909)
          > ==32418== by 0x46CAA3: ex_source (ex_cmds2.c:2882)
          > ==32418== by 0x47217C: do_one_cmd (ex_docmd.c:2689)
          > ==32418== by 0x46F710: do_cmdline (ex_docmd.c:1127)
          > ==32418== by 0x501DC2: nv_colon (normal.c:5457)
          > ==32418== by 0x4FA8BC: normal_cmd (normal.c:1200)
          > ==32418== by 0x5ED64E: main_loop (main.c:1329)
          > ==32418== by 0x5ECF97: main (main.c:1020)
          >
          > Code in regexp.c is:
          >
          > 7889 else
          > 7890 {
          > 7891 s = submatch_match->startp[no];
          > !!7892 if (s == NULL || submatch_match->endp[no] == NULL)
          > 7893 retval = NULL;
          > 7894 else
          > 7895 retval = vim_strnsave(s,
          > (int)(submatch_match->endp[no] - s));
          > 7896 }
          >
          > Putting printf, I can see that 's' and 'no' are initialized,
          > but submatch_match->endp[no] is not initialized.

          I think I found a solution. I'll send out a patch. Please check that
          this fixes your problem.

          --
          A real patriot is the fellow who gets a parking ticket and rejoices
          that the system works.


          /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
          /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
          \\\ an exciting new programming language -- http://www.Zimbu.org ///
          \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

          --
          --
          You received this message from the "vim_dev" maillist.
          Do not top-post! Type your reply below the text you are replying to.
          For more information, visit http://www.vim.org/maillist.php

          ---
          You received this message because you are subscribed to the Google Groups "vim_dev" group.
          To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
          For more options, visit https://groups.google.com/groups/opt_out.
        • Ingo Karkat
          ... Yes, patch 7.3.1258 does fix the problem. Thank you! -- regards, ingo -- -- You received this message from the vim_dev maillist. Do not top-post! Type
          Message 4 of 4 , Jul 1, 2013
          • 0 Attachment
            On 28-Jun-2013 23:05 +0200, Bram Moolenaar wrote:

            > Dominique Pelle wrote:
            >
            >> Ingo Karkat <swdev@...> wrote:
            >>
            >>> Hello Vim developers,
            >>>
            >>> I recently started using latest Vim builds with the new NFA-engine
            >>> enabled, and I immediately noticed discrepancies when using my personal
            >>> fork of the popular snipMate plugin
            >>> (https://github.com/inkarkat/snipMate.vim). I've reduced the problem to
            >>> the following scriptlet (also attached as snipMate-re-bug.vim):
            >>>
            >>> #v+
            >>> fun! Unescape(text, what)
            >>> return substitute(a:text, '\%(\%(^\|[^\\]\)\%(\\\\\)*\\\)\@<!\\\ze' . a:what, '', 'g')
            >>> endf
            >>>
            >>> echo substitute('${2}Maintainer: Foo Bar <${1:foo@...}>${3}', '\%(\%(^\|[^\\]\)\%(\\\\\)*\\\)\@<!${\d\+:\(.\{-}\%(\%(^\|[^\\]\)\%(\\\\\)*\\\)\@<!\)}' , '\=submatch(0) . Unescape(submatch(1), "}")', 'g')
            >>> #v-
            >>>
            >>> Steps to reproduce:
            >>> $ vim -N -u NONE snipMate-re-bug.vim
            >>> :so %
            >>> This yields the wrong (unmodified):
            >>> ,----
            >>> | ${2}Maintainer: Foo Bar <${1:foo@...}>${3}
            >>> `----
            >>> When I switch to the old regexp engine
            >>> :set re=1
            >>> I get the expected, correct result:
            >>> ,----
            >>> | ${2}Maintainer: Foo Bar <${1:foo@...}foo@...>${3}
            >>> `----
            >>>
            >>> Additionally, when I do
            >>> :syntax on
            >>> :so %
            >>> I receive an out of memory error (most of the time):
            >>> ,----
            >>> | Error detected while processing /tmp/snipMate-re-bug.vim:
            >>> | line 5:
            >>> | E342: Out of memory! (allocating 4270043459 bytes)
            >>> | ${2}Maintainer: Foo Bar <${1:foo@...}>${3}
            >>> `----
            >>>
            >>> This out of memory also happens when I use the full plugin normally.
            >>> Very rarely, Vim crashes after the out of memory.
            >>>
            >>> This is with a huge build of Vim 7.3.1255, running in an Ubuntu 13.04
            >>> x64 VM. See attached version.log for more info. Let me know if you need
            >>> more details.
            >>
            >>
            >> Since 4270043459 is close to 2^32 = 4294967296,
            >> it looks like vim is trying to allocate a negative number.
            >> which is obviously a bug. Probaby something is uninitialized.
            >>
            >> I could not reproduce the crash you describe.
            >> However, when running vim-7.3.1255 with:
            >>
            >> $ valgrind --log-file=vg.log \
            >> --num-callers=50 \
            >> --track-origins=yes \
            >> vim -N -u NONE snipMate-re-bug.vim
            >>
            >> I get the following error as soon as I do: :so %
            >>
            >> ==32418== Conditional jump or move depends on uninitialised value(s)
            >> ==32418== at 0x545631: reg_submatch (regexp.c:7892)
            >> ==32418== by 0x44DFAB: f_submatch (eval.c:17696)
            >> ==32418== by 0x43F7EE: call_func (eval.c:8530)
            >> ==32418== by 0x43F248: get_func_tv (eval.c:8343)
            >> ==32418== by 0x43AA9A: eval7 (eval.c:5153)
            >> ==32418== by 0x43A341: eval6 (eval.c:4805)
            >> ==32418== by 0x439EB0: eval5 (eval.c:4621)
            >> ==32418== by 0x4392AF: eval4 (eval.c:4314)
            >> ==32418== by 0x4390FC: eval3 (eval.c:4226)
            >> ==32418== by 0x438F7B: eval2 (eval.c:4155)
            >> ==32418== by 0x438DBA: eval1 (eval.c:4080)
            >> ==32418== by 0x43F1AC: get_func_tv (eval.c:8328)
            >> ==32418== by 0x43AA9A: eval7 (eval.c:5153)
            >> ==32418== by 0x43A341: eval6 (eval.c:4805)
            >> ==32418== by 0x439F8C: eval5 (eval.c:4657)
            >> ==32418== by 0x4392AF: eval4 (eval.c:4314)
            >> ==32418== by 0x4390FC: eval3 (eval.c:4226)
            >> ==32418== by 0x438F7B: eval2 (eval.c:4155)
            >> ==32418== by 0x438DBA: eval1 (eval.c:4080)
            >> ==32418== by 0x438D19: eval0 (eval.c:4037)
            >> ==32418== by 0x433D69: eval_to_string (eval.c:1348)
            >> ==32418== by 0x5448F5: vim_regsub_both (regexp.c:7482)
            >> ==32418== by 0x5446A6: vim_regsub (regexp.c:7383)
            >> ==32418== by 0x45A424: do_string_sub (eval.c:24286)
            >> ==32418== by 0x44E0AB: f_substitute (eval.c:17720)
            >> ==32418== by 0x43F7EE: call_func (eval.c:8530)
            >> ==32418== by 0x43F248: get_func_tv (eval.c:8343)
            >> ==32418== by 0x43AA9A: eval7 (eval.c:5153)
            >> ==32418== by 0x43A341: eval6 (eval.c:4805)
            >> ==32418== by 0x439EB0: eval5 (eval.c:4621)
            >> ==32418== by 0x4392AF: eval4 (eval.c:4314)
            >> ==32418== by 0x4390FC: eval3 (eval.c:4226)
            >> ==32418== by 0x438F7B: eval2 (eval.c:4155)
            >> ==32418== by 0x438DBA: eval1 (eval.c:4080)
            >> ==32418== by 0x45324C: ex_echo (eval.c:20858)
            >> ==32418== by 0x47217C: do_one_cmd (ex_docmd.c:2689)
            >> ==32418== by 0x46F710: do_cmdline (ex_docmd.c:1127)
            >> ==32418== by 0x46D428: do_source (ex_cmds2.c:3300)
            >> ==32418== by 0x46CB56: cmd_source (ex_cmds2.c:2909)
            >> ==32418== by 0x46CAA3: ex_source (ex_cmds2.c:2882)
            >> ==32418== by 0x47217C: do_one_cmd (ex_docmd.c:2689)
            >> ==32418== by 0x46F710: do_cmdline (ex_docmd.c:1127)
            >> ==32418== by 0x501DC2: nv_colon (normal.c:5457)
            >> ==32418== by 0x4FA8BC: normal_cmd (normal.c:1200)
            >> ==32418== by 0x5ED64E: main_loop (main.c:1329)
            >> ==32418== by 0x5ECF97: main (main.c:1020)
            >> ==32418== Uninitialised value was created by a heap allocation
            >> ==32418== at 0x4C2C78F: malloc (vg_replace_malloc.c:270)
            >> ==32418== by 0x4E795F: lalloc (misc2.c:929)
            >> ==32418== by 0x54F2B7: nfa_regmatch (regexp_nfa.c:4957)
            >> ==32418== by 0x5519F4: nfa_regtry (regexp_nfa.c:6214)
            >> ==32418== by 0x552065: nfa_regexec_both (regexp_nfa.c:6398)
            >> ==32418== by 0x552424: nfa_regexec_nl (regexp_nfa.c:6595)
            >> ==32418== by 0x55268A: vim_regexec_nl (regexp.c:8067)
            >> ==32418== by 0x45A5B4: do_string_sub (eval.c:24277)
            >> ==32418== by 0x44E0AB: f_substitute (eval.c:17720)
            >> ==32418== by 0x43F7EE: call_func (eval.c:8530)
            >> ==32418== by 0x43F248: get_func_tv (eval.c:8343)
            >> ==32418== by 0x43AA9A: eval7 (eval.c:5153)
            >> ==32418== by 0x43A341: eval6 (eval.c:4805)
            >> ==32418== by 0x439EB0: eval5 (eval.c:4621)
            >> ==32418== by 0x4392AF: eval4 (eval.c:4314)
            >> ==32418== by 0x4390FC: eval3 (eval.c:4226)
            >> ==32418== by 0x438F7B: eval2 (eval.c:4155)
            >> ==32418== by 0x438DBA: eval1 (eval.c:4080)
            >> ==32418== by 0x45324C: ex_echo (eval.c:20858)
            >> ==32418== by 0x47217C: do_one_cmd (ex_docmd.c:2689)
            >> ==32418== by 0x46F710: do_cmdline (ex_docmd.c:1127)
            >> ==32418== by 0x46D428: do_source (ex_cmds2.c:3300)
            >> ==32418== by 0x46CB56: cmd_source (ex_cmds2.c:2909)
            >> ==32418== by 0x46CAA3: ex_source (ex_cmds2.c:2882)
            >> ==32418== by 0x47217C: do_one_cmd (ex_docmd.c:2689)
            >> ==32418== by 0x46F710: do_cmdline (ex_docmd.c:1127)
            >> ==32418== by 0x501DC2: nv_colon (normal.c:5457)
            >> ==32418== by 0x4FA8BC: normal_cmd (normal.c:1200)
            >> ==32418== by 0x5ED64E: main_loop (main.c:1329)
            >> ==32418== by 0x5ECF97: main (main.c:1020)
            >>
            >> Code in regexp.c is:
            >>
            >> 7889 else
            >> 7890 {
            >> 7891 s = submatch_match->startp[no];
            >> !!7892 if (s == NULL || submatch_match->endp[no] == NULL)
            >> 7893 retval = NULL;
            >> 7894 else
            >> 7895 retval = vim_strnsave(s,
            >> (int)(submatch_match->endp[no] - s));
            >> 7896 }
            >>
            >> Putting printf, I can see that 's' and 'no' are initialized,
            >> but submatch_match->endp[no] is not initialized.
            >
            > I think I found a solution. I'll send out a patch. Please check that
            > this fixes your problem.

            Yes, patch 7.3.1258 does fix the problem. Thank you!

            -- regards, ingo

            --
            --
            You received this message from the "vim_dev" maillist.
            Do not top-post! Type your reply below the text you are replying to.
            For more information, visit http://www.vim.org/maillist.php

            ---
            You received this message because you are subscribed to the Google Groups "vim_dev" group.
            To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
            For more options, visit https://groups.google.com/groups/opt_out.
          Your message has been successfully submitted and would be delivered to recipients shortly.