Loading ...
Sorry, an error occurred while loading the content.

Re: NFA-regexp problem in Vim 7.3.1255

Expand Messages
  • Ingo Karkat
    ... Yes, patch 7.3.1258 does fix the problem. Thank you! -- regards, ingo -- -- You received this message from the vim_dev maillist. Do not top-post! Type
    Message 1 of 4 , Jul 1 2:05 AM
    • 0 Attachment
      On 28-Jun-2013 23:05 +0200, Bram Moolenaar wrote:

      > Dominique Pelle wrote:
      >
      >> Ingo Karkat <swdev@...> wrote:
      >>
      >>> Hello Vim developers,
      >>>
      >>> I recently started using latest Vim builds with the new NFA-engine
      >>> enabled, and I immediately noticed discrepancies when using my personal
      >>> fork of the popular snipMate plugin
      >>> (https://github.com/inkarkat/snipMate.vim). I've reduced the problem to
      >>> the following scriptlet (also attached as snipMate-re-bug.vim):
      >>>
      >>> #v+
      >>> fun! Unescape(text, what)
      >>> return substitute(a:text, '\%(\%(^\|[^\\]\)\%(\\\\\)*\\\)\@<!\\\ze' . a:what, '', 'g')
      >>> endf
      >>>
      >>> echo substitute('${2}Maintainer: Foo Bar <${1:foo@...}>${3}', '\%(\%(^\|[^\\]\)\%(\\\\\)*\\\)\@<!${\d\+:\(.\{-}\%(\%(^\|[^\\]\)\%(\\\\\)*\\\)\@<!\)}' , '\=submatch(0) . Unescape(submatch(1), "}")', 'g')
      >>> #v-
      >>>
      >>> Steps to reproduce:
      >>> $ vim -N -u NONE snipMate-re-bug.vim
      >>> :so %
      >>> This yields the wrong (unmodified):
      >>> ,----
      >>> | ${2}Maintainer: Foo Bar <${1:foo@...}>${3}
      >>> `----
      >>> When I switch to the old regexp engine
      >>> :set re=1
      >>> I get the expected, correct result:
      >>> ,----
      >>> | ${2}Maintainer: Foo Bar <${1:foo@...}foo@...>${3}
      >>> `----
      >>>
      >>> Additionally, when I do
      >>> :syntax on
      >>> :so %
      >>> I receive an out of memory error (most of the time):
      >>> ,----
      >>> | Error detected while processing /tmp/snipMate-re-bug.vim:
      >>> | line 5:
      >>> | E342: Out of memory! (allocating 4270043459 bytes)
      >>> | ${2}Maintainer: Foo Bar <${1:foo@...}>${3}
      >>> `----
      >>>
      >>> This out of memory also happens when I use the full plugin normally.
      >>> Very rarely, Vim crashes after the out of memory.
      >>>
      >>> This is with a huge build of Vim 7.3.1255, running in an Ubuntu 13.04
      >>> x64 VM. See attached version.log for more info. Let me know if you need
      >>> more details.
      >>
      >>
      >> Since 4270043459 is close to 2^32 = 4294967296,
      >> it looks like vim is trying to allocate a negative number.
      >> which is obviously a bug. Probaby something is uninitialized.
      >>
      >> I could not reproduce the crash you describe.
      >> However, when running vim-7.3.1255 with:
      >>
      >> $ valgrind --log-file=vg.log \
      >> --num-callers=50 \
      >> --track-origins=yes \
      >> vim -N -u NONE snipMate-re-bug.vim
      >>
      >> I get the following error as soon as I do: :so %
      >>
      >> ==32418== Conditional jump or move depends on uninitialised value(s)
      >> ==32418== at 0x545631: reg_submatch (regexp.c:7892)
      >> ==32418== by 0x44DFAB: f_submatch (eval.c:17696)
      >> ==32418== by 0x43F7EE: call_func (eval.c:8530)
      >> ==32418== by 0x43F248: get_func_tv (eval.c:8343)
      >> ==32418== by 0x43AA9A: eval7 (eval.c:5153)
      >> ==32418== by 0x43A341: eval6 (eval.c:4805)
      >> ==32418== by 0x439EB0: eval5 (eval.c:4621)
      >> ==32418== by 0x4392AF: eval4 (eval.c:4314)
      >> ==32418== by 0x4390FC: eval3 (eval.c:4226)
      >> ==32418== by 0x438F7B: eval2 (eval.c:4155)
      >> ==32418== by 0x438DBA: eval1 (eval.c:4080)
      >> ==32418== by 0x43F1AC: get_func_tv (eval.c:8328)
      >> ==32418== by 0x43AA9A: eval7 (eval.c:5153)
      >> ==32418== by 0x43A341: eval6 (eval.c:4805)
      >> ==32418== by 0x439F8C: eval5 (eval.c:4657)
      >> ==32418== by 0x4392AF: eval4 (eval.c:4314)
      >> ==32418== by 0x4390FC: eval3 (eval.c:4226)
      >> ==32418== by 0x438F7B: eval2 (eval.c:4155)
      >> ==32418== by 0x438DBA: eval1 (eval.c:4080)
      >> ==32418== by 0x438D19: eval0 (eval.c:4037)
      >> ==32418== by 0x433D69: eval_to_string (eval.c:1348)
      >> ==32418== by 0x5448F5: vim_regsub_both (regexp.c:7482)
      >> ==32418== by 0x5446A6: vim_regsub (regexp.c:7383)
      >> ==32418== by 0x45A424: do_string_sub (eval.c:24286)
      >> ==32418== by 0x44E0AB: f_substitute (eval.c:17720)
      >> ==32418== by 0x43F7EE: call_func (eval.c:8530)
      >> ==32418== by 0x43F248: get_func_tv (eval.c:8343)
      >> ==32418== by 0x43AA9A: eval7 (eval.c:5153)
      >> ==32418== by 0x43A341: eval6 (eval.c:4805)
      >> ==32418== by 0x439EB0: eval5 (eval.c:4621)
      >> ==32418== by 0x4392AF: eval4 (eval.c:4314)
      >> ==32418== by 0x4390FC: eval3 (eval.c:4226)
      >> ==32418== by 0x438F7B: eval2 (eval.c:4155)
      >> ==32418== by 0x438DBA: eval1 (eval.c:4080)
      >> ==32418== by 0x45324C: ex_echo (eval.c:20858)
      >> ==32418== by 0x47217C: do_one_cmd (ex_docmd.c:2689)
      >> ==32418== by 0x46F710: do_cmdline (ex_docmd.c:1127)
      >> ==32418== by 0x46D428: do_source (ex_cmds2.c:3300)
      >> ==32418== by 0x46CB56: cmd_source (ex_cmds2.c:2909)
      >> ==32418== by 0x46CAA3: ex_source (ex_cmds2.c:2882)
      >> ==32418== by 0x47217C: do_one_cmd (ex_docmd.c:2689)
      >> ==32418== by 0x46F710: do_cmdline (ex_docmd.c:1127)
      >> ==32418== by 0x501DC2: nv_colon (normal.c:5457)
      >> ==32418== by 0x4FA8BC: normal_cmd (normal.c:1200)
      >> ==32418== by 0x5ED64E: main_loop (main.c:1329)
      >> ==32418== by 0x5ECF97: main (main.c:1020)
      >> ==32418== Uninitialised value was created by a heap allocation
      >> ==32418== at 0x4C2C78F: malloc (vg_replace_malloc.c:270)
      >> ==32418== by 0x4E795F: lalloc (misc2.c:929)
      >> ==32418== by 0x54F2B7: nfa_regmatch (regexp_nfa.c:4957)
      >> ==32418== by 0x5519F4: nfa_regtry (regexp_nfa.c:6214)
      >> ==32418== by 0x552065: nfa_regexec_both (regexp_nfa.c:6398)
      >> ==32418== by 0x552424: nfa_regexec_nl (regexp_nfa.c:6595)
      >> ==32418== by 0x55268A: vim_regexec_nl (regexp.c:8067)
      >> ==32418== by 0x45A5B4: do_string_sub (eval.c:24277)
      >> ==32418== by 0x44E0AB: f_substitute (eval.c:17720)
      >> ==32418== by 0x43F7EE: call_func (eval.c:8530)
      >> ==32418== by 0x43F248: get_func_tv (eval.c:8343)
      >> ==32418== by 0x43AA9A: eval7 (eval.c:5153)
      >> ==32418== by 0x43A341: eval6 (eval.c:4805)
      >> ==32418== by 0x439EB0: eval5 (eval.c:4621)
      >> ==32418== by 0x4392AF: eval4 (eval.c:4314)
      >> ==32418== by 0x4390FC: eval3 (eval.c:4226)
      >> ==32418== by 0x438F7B: eval2 (eval.c:4155)
      >> ==32418== by 0x438DBA: eval1 (eval.c:4080)
      >> ==32418== by 0x45324C: ex_echo (eval.c:20858)
      >> ==32418== by 0x47217C: do_one_cmd (ex_docmd.c:2689)
      >> ==32418== by 0x46F710: do_cmdline (ex_docmd.c:1127)
      >> ==32418== by 0x46D428: do_source (ex_cmds2.c:3300)
      >> ==32418== by 0x46CB56: cmd_source (ex_cmds2.c:2909)
      >> ==32418== by 0x46CAA3: ex_source (ex_cmds2.c:2882)
      >> ==32418== by 0x47217C: do_one_cmd (ex_docmd.c:2689)
      >> ==32418== by 0x46F710: do_cmdline (ex_docmd.c:1127)
      >> ==32418== by 0x501DC2: nv_colon (normal.c:5457)
      >> ==32418== by 0x4FA8BC: normal_cmd (normal.c:1200)
      >> ==32418== by 0x5ED64E: main_loop (main.c:1329)
      >> ==32418== by 0x5ECF97: main (main.c:1020)
      >>
      >> Code in regexp.c is:
      >>
      >> 7889 else
      >> 7890 {
      >> 7891 s = submatch_match->startp[no];
      >> !!7892 if (s == NULL || submatch_match->endp[no] == NULL)
      >> 7893 retval = NULL;
      >> 7894 else
      >> 7895 retval = vim_strnsave(s,
      >> (int)(submatch_match->endp[no] - s));
      >> 7896 }
      >>
      >> Putting printf, I can see that 's' and 'no' are initialized,
      >> but submatch_match->endp[no] is not initialized.
      >
      > I think I found a solution. I'll send out a patch. Please check that
      > this fixes your problem.

      Yes, patch 7.3.1258 does fix the problem. Thank you!

      -- regards, ingo

      --
      --
      You received this message from the "vim_dev" maillist.
      Do not top-post! Type your reply below the text you are replying to.
      For more information, visit http://www.vim.org/maillist.php

      ---
      You received this message because you are subscribed to the Google Groups "vim_dev" group.
      To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
      For more options, visit https://groups.google.com/groups/opt_out.
    Your message has been successfully submitted and would be delivered to recipients shortly.