NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: bin/57482: vi(1) crashes reproducibly with a one liner with wl=72 and ts=8
There are three other people reproducing the bug.
One needs to have a 80 columns terminal (XTERM or screen; will not work
with the framebuffer).
The critical part seems to be "set nu".
$ unset EXINIT
$ printf "\t\tv_stack[nval].ival = v_stack[nval-1].ival + v_stack[nval-1].len\t\n" >/tmp/vi_crasher.txt
$ vi vi_crasher.txt
In vi, then "set nu" and '$' -> crash.
I will try the patch you proposed later.
Best,
T. Laronde
Le Fri, Jun 23, 2023 at 03:20:01AM +0000, Rin Okuyama a écrit :
> The following reply was made to PR bin/57482; it has been noted by GNATS.
>
> From: Rin Okuyama <rokuyama.rk%gmail.com@localhost>
> To: gnats-bugs%netbsd.org@localhost
> Cc: gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost
> Subject: Re: bin/57482: vi(1) crashes reproducibly with a one liner with wl=72
> and ts=8
> Date: Fri, 23 Jun 2023 12:19:13 +0900
>
> --000000000000c046c005fec37770
> Content-Type: text/plain; charset="UTF-8"
> Content-Transfer-Encoding: quoted-printable
>
> Hmm, I cannot reproduce the problem on my machines as well as TNF servers..=
> .
> It would be really nice if you can construct a reproducer for root (login
> as root or
> "su -" from wheel users) with unmodified /root/.??* files.
>
> Anyway, can you try this patch?
> https://www.netbsd.org/~rin/pr57482.workaround.patch
>
> If you don't fall into infinite loop, this code block is a normal path with
> "set nu" for
> some unknown reasons.
>
> As comments in source code say, vs_refresh.c is very complicated and hard
> to debug.
> Many (most?) combinations of options have never been tested.
>
> Thanks,
> rin
>
> 2023=E5=B9=B46=E6=9C=8823=E6=97=A5(=E9=87=91) 4:25 <tlaronde%polynum.com@localhost>:
>
> > >Number: 57482
> > >Category: bin
> > >Synopsis: vi(1) crashes reproducibly with a one liner with wl=3D72
> > and ts=3D8
> > >Confidential: no
> > >Severity: non-critical
> > >Priority: low
> > >Responsible: bin-bug-people
> > >State: open
> > >Class: sw-bug
> > >Submitter-Id: net
> > >Arrival-Date: Thu Jun 22 19:25:00 +0000 2023
> > >Originator: Thierry LARONDE
> > >Release: NetBSD 10.0_BETA
> > >Organization:
> > >Environment:
> > NetBSD cauchy.polynum.local 10.0_BETA NetBSD 10.0_BETA (cauchy) #0: Mon
> > Feb 27 11:28:34 CET 2023 tlaronde@cauchy.polynum.local:/usr/obj/polynum.=
> NODECONF-cauchy.polynum.local_netbsd-9.3-amd64_netbsd-amd64/netbsd/obj/sys/=
> arch/amd64/compile/cauchy
> > amd64
> >
> > >Description:
> > vi(1) crashes reproducibly with a oneliner, when wl=3D72 and ts=3D8 are s=
> et
> > when trying to go to the end of the line with '$' or, setting ts=3D4,
> > then going to the end of line and then resetting ts=3D8.
> >
> > bt provided by Martin Husemann:
> >
> > #2 0x00000000009a54da in vs_paint (sp=3Dsp@entry=3D0x6fb6f40de000,
> > flags=3Dflags@entry=3D3) at
> > /work/src/external/bsd/nvi/dist/vi/vs_refresh.c:726
> > 726 abort(); /* XXX infinite recursion */
> > (gdb) list
> > 721 abort();
> > 722 }
> > 723 #724 if (vip->sc_smap =3D=3D NULL) {
> > 725 if (F_ISSET(sp, SC_SCR_REFORMAT))
> > 726 abort(); /* XXX infinite recursion */
> > 727 F_SET(sp, SC_SCR_REFORMAT);
> > 728 return (vs_paint(sp, flags));
> > 729 }
> > 730 #endif
> > #3 0x00000000009983de in vs_paint (sp=3Dsp@entry=3D0x6fb6f40de000, flags=
> =3D3)
> > at /work/src/external/bsd/nvi/dist/vi/vs_refresh.c:728
> > #4 0x00000000009990d5 in vs_refresh (sp=3Dsp@entry=3D0x6fb6f40de000,
> > forcepaint=3Dforcepaint@entry=3D0)
> > at /work/src/external/bsd/nvi/dist/vi/vs_refresh.c:99
> > #5 0x00000000009941e6 in vi (spp=3Dspp@entry=3D0x7f7fffe31740)
> > at /work/src/external/bsd/nvi/dist/vi/vi.c:115
> > #6 0x000000000097bdf8 in editor (wp=3Dwp@entry=3D0x6fb6f40f1000,
> > argc=3D<optimized out>, argc@entry=3D2, argv=3D<optimized out>,
> > argv@entry=3D0x7f7fffe319c8)
> > at /work/src/external/bsd/nvi/dist/common/main.c:436
> > #7 0x00000000009a5864 in main (argc=3D2, argv=3D0x7f7fffe319c8)
> > at /work/src/external/bsd/nvi/dist/cl/cl_main.c:134
> >
> > >How-To-Repeat:
> > env EXINIT=3D'set nu showmatch ts=3D8 wl=3D72' vi /tmp/vi_crasher.txt
> >
> > $ vis -w /tmp/vi_crasher.txt:
> >
> >
> > \011\011v_stack[nval].ival\040=3D\040v_stack[nval-1].ival\040+\040v_stack=
> [nval-1].len\011\012
> > >Fix:
> >
> >
>
> --000000000000c046c005fec37770
> Content-Type: text/html; charset="UTF-8"
> Content-Transfer-Encoding: quoted-printable
>
> <div dir=3D"ltr">Hmm, I cannot reproduce the problem on my machines as well=
> as TNF servers...<div>It would be really nice if you can construct a repro=
> ducer for root (login as root or</div><div>"su -" from wheel user=
> s) with unmodified /root/.??* files.</div><div><br></div><div>Anyway, can y=
> ou try this patch?</div><div><a href=3D"https://www.netbsd.org/~rin/pr57482=
> .workaround.patch">https://www.netbsd.org/~rin/pr57482.workaround.patch</a>=
> <br></div><div><br></div><div>If you don't fall into infinite loop, thi=
> s code block is a normal path with "set nu" for</div><div>some un=
> known reasons.</div><div><br></div><div>As comments in source code say, vs_=
> refresh.c is very complicated and hard to debug.</div><div>Many (most?) com=
> binations of options have never been tested.</div><div><br></div><div>Thank=
> s,</div><div>rin</div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr"=
> class=3D"gmail_attr">2023=E5=B9=B46=E6=9C=8823=E6=97=A5(=E9=87=91) 4:25 &l=
> t;<a href=3D"mailto:tlaronde%polynum.com@localhost";>tlaronde%polynum.com@localhost</a>>:<br>=
> </div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;b=
> order-left:1px solid rgb(204,204,204);padding-left:1ex">>Number:=C2=A0 =
> =C2=A0 =C2=A0 =C2=A0 =C2=A057482<br>
> >Category:=C2=A0 =C2=A0 =C2=A0 =C2=A0bin<br>
> >Synopsis:=C2=A0 =C2=A0 =C2=A0 =C2=A0vi(1) crashes reproducibly with a o=
> ne liner with wl=3D72 and ts=3D8<br>
> >Confidential:=C2=A0 =C2=A0no<br>
> >Severity:=C2=A0 =C2=A0 =C2=A0 =C2=A0non-critical<br>
> >Priority:=C2=A0 =C2=A0 =C2=A0 =C2=A0low<br>
> >Responsible:=C2=A0 =C2=A0 bin-bug-people<br>
> >State:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 open<br>
> >Class:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 sw-bug<br>
> >Submitter-Id:=C2=A0 =C2=A0net<br>
> >Arrival-Date:=C2=A0 =C2=A0Thu Jun 22 19:25:00 +0000 2023<br>
> >Originator:=C2=A0 =C2=A0 =C2=A0Thierry LARONDE<br>
> >Release:=C2=A0 =C2=A0 =C2=A0 =C2=A0 NetBSD 10.0_BETA<br>
> >Organization:<br>
> >Environment:<br>
> NetBSD cauchy.polynum.local 10.0_BETA NetBSD 10.0_BETA (cauchy) #0: Mon Feb=
> 27 11:28:34 CET 2023=C2=A0 tlaronde@cauchy.polynum.local:/usr/obj/polynum.=
> NODECONF-cauchy.polynum.local_netbsd-9.3-amd64_netbsd-amd64/netbsd/obj/sys/=
> arch/amd64/compile/cauchy amd64<br>
> <br>
> >Description:<br>
> vi(1) crashes reproducibly with a oneliner, when wl=3D72 and ts=3D8 are set=
> <br>
> when trying to go to the end of the line with '$' or, setting ts=3D=
> 4,<br>
> then going to the end of line and then resetting ts=3D8.<br>
> <br>
> bt provided by Martin Husemann:<br>
> <br>
> #2=C2=A0 0x00000000009a54da in vs_paint (sp=3Dsp@entry=3D0x6fb6f40de000,<br=
> >
> =C2=A0 =C2=A0 flags=3Dflags@entry=3D3) at /work/src/external/bsd/nvi/dist/v=
> i/vs_refresh.c:726<br>
> 726=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0abort(); /* XXX infinite recursion */<br>
> (gdb) list=C2=A0 <br>
> 721=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
> =C2=A0abort();<br>
> 722=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0}=C2=A0 =C2=A0 =C2=A0 =
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<br>
> 723=C2=A0 =C2=A0 =C2=A0#724=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
> if (vip->sc_smap =3D=3D NULL) {<br>
> 725=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
> =C2=A0if (F_ISSET(sp, SC_SCR_REFORMAT))<br>
> 726=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0abort(); /* XXX infinite recursion */<br>
> 727=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
> =C2=A0F_SET(sp, SC_SCR_REFORMAT);<br>
> 728=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
> =C2=A0return (vs_paint(sp, flags));<br>
> 729=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0}<br>
> 730=C2=A0 =C2=A0 =C2=A0#endif<br>
> #3=C2=A0 0x00000000009983de in vs_paint (sp=3Dsp@entry=3D0x6fb6f40de000, fl=
> ags=3D3)<br>
> =C2=A0 =C2=A0 at /work/src/external/bsd/nvi/dist/vi/vs_refresh.c:728<br>
> #4=C2=A0 0x00000000009990d5 in vs_refresh (sp=3Dsp@entry=3D0x6fb6f40de000,<=
> br>
> =C2=A0 =C2=A0 forcepaint=3Dforcepaint@entry=3D0)<br>
> =C2=A0 =C2=A0 at /work/src/external/bsd/nvi/dist/vi/vs_refresh.c:99<br>
> #5=C2=A0 0x00000000009941e6 in vi (spp=3Dspp@entry=3D0x7f7fffe31740)<br>
> =C2=A0 =C2=A0 at /work/src/external/bsd/nvi/dist/vi/vi.c:115<br>
> #6=C2=A0 0x000000000097bdf8 in editor (wp=3Dwp@entry=3D0x6fb6f40f1000,<br>
> =C2=A0 =C2=A0 argc=3D<optimized out>, argc@entry=3D2, argv=3D<opti=
> mized out>,<br>
> =C2=A0 =C2=A0 argv@entry=3D0x7f7fffe319c8)=C2=A0 <br>
> =C2=A0 =C2=A0 at /work/src/external/bsd/nvi/dist/common/main.c:436<br>
> #7=C2=A0 0x00000000009a5864 in main (argc=3D2, argv=3D0x7f7fffe319c8)<br>
> =C2=A0 =C2=A0 at /work/src/external/bsd/nvi/dist/cl/cl_main.c:134<br>
> <br>
> >How-To-Repeat:<br>
> env EXINIT=3D'set nu showmatch ts=3D8 wl=3D72' vi /tmp/vi_crasher.t=
> xt<br>
> <br>
> $ vis -w /tmp/vi_crasher.txt:<br>
> <br>
> \011\011v_stack[nval].ival\040=3D\040v_stack[nval-1].ival\040+\040v_stack[n=
> val-1].len\011\012<br>
> >Fix:<br>
> <br>
> </blockquote></div>
>
> --000000000000c046c005fec37770--
>
--
Thierry Laronde <tlaronde +AT+ polynum +dot+ com>
http://www.kergis.com/
http://kertex.kergis.com/
Key fingerprint = 0FF7 E906 FBAF FE95 FD89 250D 52B1 AE95 6006 F40C
Home |
Main Index |
Thread Index |
Old Index