NetBSD Problem Report #57482
From www@netbsd.org Thu Jun 22 19:22:33 2023
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id A29D71A923E
for <gnats-bugs@gnats.NetBSD.org>; Thu, 22 Jun 2023 19:22:33 +0000 (UTC)
Message-Id: <20230622192231.BAF101A9241@mollari.NetBSD.org>
Date: Thu, 22 Jun 2023 19:22:31 +0000 (UTC)
From: tlaronde@polynum.com
Reply-To: tlaronde@polynum.com
To: gnats-bugs@NetBSD.org
Subject: vi(1) crashes reproducibly with a one liner with wl=72 and ts=8
X-Send-Pr-Version: www-1.0
>Number: 57482
>Category: bin
>Synopsis: vi(1) crashes reproducibly with a one liner with wl=72 and ts=8
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Jun 22 19:25:00 +0000 2023
>Last-Modified: Sat Jun 24 13:20:02 +0000 2023
>Originator: Thierry LARONDE
>Release: NetBSD 10.0_BETA
>Organization:
>Environment:
NetBSD cauchy.polynum.local 10.0_BETA NetBSD 10.0_BETA (cauchy) #0: Mon Feb 27 11:28:34 CET 2023 tlaronde@cauchy.polynum.local:/usr/obj/polynum.NODECONF-cauchy.polynum.local_netbsd-9.3-amd64_netbsd-amd64/netbsd/obj/sys/arch/amd64/compile/cauchy amd64
>Description:
vi(1) crashes reproducibly with a oneliner, when wl=72 and ts=8 are set
when trying to go to the end of the line with '$' or, setting ts=4,
then going to the end of line and then resetting ts=8.
bt provided by Martin Husemann:
#2 0x00000000009a54da in vs_paint (sp=sp@entry=0x6fb6f40de000,
flags=flags@entry=3) at /work/src/external/bsd/nvi/dist/vi/vs_refresh.c:726
726 abort(); /* XXX infinite recursion */
(gdb) list
721 abort();
722 }
723 #724 if (vip->sc_smap == NULL) {
725 if (F_ISSET(sp, SC_SCR_REFORMAT))
726 abort(); /* XXX infinite recursion */
727 F_SET(sp, SC_SCR_REFORMAT);
728 return (vs_paint(sp, flags));
729 }
730 #endif
#3 0x00000000009983de in vs_paint (sp=sp@entry=0x6fb6f40de000, flags=3)
at /work/src/external/bsd/nvi/dist/vi/vs_refresh.c:728
#4 0x00000000009990d5 in vs_refresh (sp=sp@entry=0x6fb6f40de000,
forcepaint=forcepaint@entry=0)
at /work/src/external/bsd/nvi/dist/vi/vs_refresh.c:99
#5 0x00000000009941e6 in vi (spp=spp@entry=0x7f7fffe31740)
at /work/src/external/bsd/nvi/dist/vi/vi.c:115
#6 0x000000000097bdf8 in editor (wp=wp@entry=0x6fb6f40f1000,
argc=<optimized out>, argc@entry=2, argv=<optimized out>,
argv@entry=0x7f7fffe319c8)
at /work/src/external/bsd/nvi/dist/common/main.c:436
#7 0x00000000009a5864 in main (argc=2, argv=0x7f7fffe319c8)
at /work/src/external/bsd/nvi/dist/cl/cl_main.c:134
>How-To-Repeat:
env EXINIT='set nu showmatch ts=8 wl=72' vi /tmp/vi_crasher.txt
$ vis -w /tmp/vi_crasher.txt:
\011\011v_stack[nval].ival\040=\040v_stack[nval-1].ival\040+\040v_stack[nval-1].len\011\012
>Fix:
>Audit-Trail:
From: Rin Okuyama <rokuyama.rk@gmail.com>
To: gnats-bugs@netbsd.org
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: bin/57482: vi(1) crashes reproducibly with a one liner with wl=72
and ts=8
Date: Fri, 23 Jun 2023 12:19:13 +0900
--000000000000c046c005fec37770
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hmm, I cannot reproduce the problem on my machines as well as TNF servers..=
.
It would be really nice if you can construct a reproducer for root (login
as root or
"su -" from wheel users) with unmodified /root/.??* files.
Anyway, can you try this patch?
https://www.netbsd.org/~rin/pr57482.workaround.patch
If you don't fall into infinite loop, this code block is a normal path with
"set nu" for
some unknown reasons.
As comments in source code say, vs_refresh.c is very complicated and hard
to debug.
Many (most?) combinations of options have never been tested.
Thanks,
rin
2023=E5=B9=B46=E6=9C=8823=E6=97=A5(=E9=87=91) 4:25 <tlaronde@polynum.com>:
> >Number: 57482
> >Category: bin
> >Synopsis: vi(1) crashes reproducibly with a one liner with wl=3D72
> and ts=3D8
> >Confidential: no
> >Severity: non-critical
> >Priority: low
> >Responsible: bin-bug-people
> >State: open
> >Class: sw-bug
> >Submitter-Id: net
> >Arrival-Date: Thu Jun 22 19:25:00 +0000 2023
> >Originator: Thierry LARONDE
> >Release: NetBSD 10.0_BETA
> >Organization:
> >Environment:
> NetBSD cauchy.polynum.local 10.0_BETA NetBSD 10.0_BETA (cauchy) #0: Mon
> Feb 27 11:28:34 CET 2023 tlaronde@cauchy.polynum.local:/usr/obj/polynum.=
NODECONF-cauchy.polynum.local_netbsd-9.3-amd64_netbsd-amd64/netbsd/obj/sys/=
arch/amd64/compile/cauchy
> amd64
>
> >Description:
> vi(1) crashes reproducibly with a oneliner, when wl=3D72 and ts=3D8 are s=
et
> when trying to go to the end of the line with '$' or, setting ts=3D4,
> then going to the end of line and then resetting ts=3D8.
>
> bt provided by Martin Husemann:
>
> #2 0x00000000009a54da in vs_paint (sp=3Dsp@entry=3D0x6fb6f40de000,
> flags=3Dflags@entry=3D3) at
> /work/src/external/bsd/nvi/dist/vi/vs_refresh.c:726
> 726 abort(); /* XXX infinite recursion */
> (gdb) list
> 721 abort();
> 722 }
> 723 #724 if (vip->sc_smap =3D=3D NULL) {
> 725 if (F_ISSET(sp, SC_SCR_REFORMAT))
> 726 abort(); /* XXX infinite recursion */
> 727 F_SET(sp, SC_SCR_REFORMAT);
> 728 return (vs_paint(sp, flags));
> 729 }
> 730 #endif
> #3 0x00000000009983de in vs_paint (sp=3Dsp@entry=3D0x6fb6f40de000, flags=
=3D3)
> at /work/src/external/bsd/nvi/dist/vi/vs_refresh.c:728
> #4 0x00000000009990d5 in vs_refresh (sp=3Dsp@entry=3D0x6fb6f40de000,
> forcepaint=3Dforcepaint@entry=3D0)
> at /work/src/external/bsd/nvi/dist/vi/vs_refresh.c:99
> #5 0x00000000009941e6 in vi (spp=3Dspp@entry=3D0x7f7fffe31740)
> at /work/src/external/bsd/nvi/dist/vi/vi.c:115
> #6 0x000000000097bdf8 in editor (wp=3Dwp@entry=3D0x6fb6f40f1000,
> argc=3D<optimized out>, argc@entry=3D2, argv=3D<optimized out>,
> argv@entry=3D0x7f7fffe319c8)
> at /work/src/external/bsd/nvi/dist/common/main.c:436
> #7 0x00000000009a5864 in main (argc=3D2, argv=3D0x7f7fffe319c8)
> at /work/src/external/bsd/nvi/dist/cl/cl_main.c:134
>
> >How-To-Repeat:
> env EXINIT=3D'set nu showmatch ts=3D8 wl=3D72' vi /tmp/vi_crasher.txt
>
> $ vis -w /tmp/vi_crasher.txt:
>
>
> \011\011v_stack[nval].ival\040=3D\040v_stack[nval-1].ival\040+\040v_stack=
[nval-1].len\011\012
> >Fix:
>
>
--000000000000c046c005fec37770
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Hmm, I cannot reproduce the problem on my machines as well=
as TNF servers...<div>It would be really nice if you can construct a repro=
ducer for root (login as root or</div><div>"su -" from wheel user=
s) with unmodified /root/.??* files.</div><div><br></div><div>Anyway, can y=
ou try this patch?</div><div><a href=3D"https://www.netbsd.org/~rin/pr57482=
.workaround.patch">https://www.netbsd.org/~rin/pr57482.workaround.patch</a>=
<br></div><div><br></div><div>If you don't fall into infinite loop, thi=
s code block is a normal path with "set nu" for</div><div>some un=
known reasons.</div><div><br></div><div>As comments in source code say, vs_=
refresh.c is very complicated and hard to debug.</div><div>Many (most?) com=
binations of options have never been tested.</div><div><br></div><div>Thank=
s,</div><div>rin</div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr"=
class=3D"gmail_attr">2023=E5=B9=B46=E6=9C=8823=E6=97=A5(=E9=87=91) 4:25 &l=
t;<a href=3D"mailto:tlaronde@polynum.com">tlaronde@polynum.com</a>>:<br>=
</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;b=
order-left:1px solid rgb(204,204,204);padding-left:1ex">>Number:=C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A057482<br>
>Category:=C2=A0 =C2=A0 =C2=A0 =C2=A0bin<br>
>Synopsis:=C2=A0 =C2=A0 =C2=A0 =C2=A0vi(1) crashes reproducibly with a o=
ne liner with wl=3D72 and ts=3D8<br>
>Confidential:=C2=A0 =C2=A0no<br>
>Severity:=C2=A0 =C2=A0 =C2=A0 =C2=A0non-critical<br>
>Priority:=C2=A0 =C2=A0 =C2=A0 =C2=A0low<br>
>Responsible:=C2=A0 =C2=A0 bin-bug-people<br>
>State:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 open<br>
>Class:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 sw-bug<br>
>Submitter-Id:=C2=A0 =C2=A0net<br>
>Arrival-Date:=C2=A0 =C2=A0Thu Jun 22 19:25:00 +0000 2023<br>
>Originator:=C2=A0 =C2=A0 =C2=A0Thierry LARONDE<br>
>Release:=C2=A0 =C2=A0 =C2=A0 =C2=A0 NetBSD 10.0_BETA<br>
>Organization:<br>
>Environment:<br>
NetBSD cauchy.polynum.local 10.0_BETA NetBSD 10.0_BETA (cauchy) #0: Mon Feb=
27 11:28:34 CET 2023=C2=A0 tlaronde@cauchy.polynum.local:/usr/obj/polynum.=
NODECONF-cauchy.polynum.local_netbsd-9.3-amd64_netbsd-amd64/netbsd/obj/sys/=
arch/amd64/compile/cauchy amd64<br>
<br>
>Description:<br>
vi(1) crashes reproducibly with a oneliner, when wl=3D72 and ts=3D8 are set=
<br>
when trying to go to the end of the line with '$' or, setting ts=3D=
4,<br>
then going to the end of line and then resetting ts=3D8.<br>
<br>
bt provided by Martin Husemann:<br>
<br>
#2=C2=A0 0x00000000009a54da in vs_paint (sp=3Dsp@entry=3D0x6fb6f40de000,<br=
>
=C2=A0 =C2=A0 flags=3Dflags@entry=3D3) at /work/src/external/bsd/nvi/dist/v=
i/vs_refresh.c:726<br>
726=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0abort(); /* XXX infinite recursion */<br>
(gdb) list=C2=A0 <br>
721=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0abort();<br>
722=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0}=C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<br>
723=C2=A0 =C2=A0 =C2=A0#724=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
if (vip->sc_smap =3D=3D NULL) {<br>
725=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0if (F_ISSET(sp, SC_SCR_REFORMAT))<br>
726=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0abort(); /* XXX infinite recursion */<br>
727=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0F_SET(sp, SC_SCR_REFORMAT);<br>
728=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0return (vs_paint(sp, flags));<br>
729=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0}<br>
730=C2=A0 =C2=A0 =C2=A0#endif<br>
#3=C2=A0 0x00000000009983de in vs_paint (sp=3Dsp@entry=3D0x6fb6f40de000, fl=
ags=3D3)<br>
=C2=A0 =C2=A0 at /work/src/external/bsd/nvi/dist/vi/vs_refresh.c:728<br>
#4=C2=A0 0x00000000009990d5 in vs_refresh (sp=3Dsp@entry=3D0x6fb6f40de000,<=
br>
=C2=A0 =C2=A0 forcepaint=3Dforcepaint@entry=3D0)<br>
=C2=A0 =C2=A0 at /work/src/external/bsd/nvi/dist/vi/vs_refresh.c:99<br>
#5=C2=A0 0x00000000009941e6 in vi (spp=3Dspp@entry=3D0x7f7fffe31740)<br>
=C2=A0 =C2=A0 at /work/src/external/bsd/nvi/dist/vi/vi.c:115<br>
#6=C2=A0 0x000000000097bdf8 in editor (wp=3Dwp@entry=3D0x6fb6f40f1000,<br>
=C2=A0 =C2=A0 argc=3D<optimized out>, argc@entry=3D2, argv=3D<opti=
mized out>,<br>
=C2=A0 =C2=A0 argv@entry=3D0x7f7fffe319c8)=C2=A0 <br>
=C2=A0 =C2=A0 at /work/src/external/bsd/nvi/dist/common/main.c:436<br>
#7=C2=A0 0x00000000009a5864 in main (argc=3D2, argv=3D0x7f7fffe319c8)<br>
=C2=A0 =C2=A0 at /work/src/external/bsd/nvi/dist/cl/cl_main.c:134<br>
<br>
>How-To-Repeat:<br>
env EXINIT=3D'set nu showmatch ts=3D8 wl=3D72' vi /tmp/vi_crasher.t=
xt<br>
<br>
$ vis -w /tmp/vi_crasher.txt:<br>
<br>
\011\011v_stack[nval].ival\040=3D\040v_stack[nval-1].ival\040+\040v_stack[n=
val-1].len\011\012<br>
>Fix:<br>
<br>
</blockquote></div>
--000000000000c046c005fec37770--
From: tlaronde@polynum.com
To: gnats-bugs@netbsd.org
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: bin/57482: vi(1) crashes reproducibly with a one liner with
wl=72 and ts=8
Date: Fri, 23 Jun 2023 12:41:03 +0200
There are three other people reproducing the bug.
One needs to have a 80 columns terminal (XTERM or screen; will not work
with the framebuffer).
The critical part seems to be "set nu".
$ unset EXINIT
$ printf "\t\tv_stack[nval].ival = v_stack[nval-1].ival + v_stack[nval-1].len\t\n" >/tmp/vi_crasher.txt
$ vi vi_crasher.txt
In vi, then "set nu" and '$' -> crash.
I will try the patch you proposed later.
Best,
T. Laronde
Le Fri, Jun 23, 2023 at 03:20:01AM +0000, Rin Okuyama a écrit :
> The following reply was made to PR bin/57482; it has been noted by GNATS.
>
> From: Rin Okuyama <rokuyama.rk@gmail.com>
> To: gnats-bugs@netbsd.org
> Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
> Subject: Re: bin/57482: vi(1) crashes reproducibly with a one liner with wl=72
> and ts=8
> Date: Fri, 23 Jun 2023 12:19:13 +0900
>
> --000000000000c046c005fec37770
> Content-Type: text/plain; charset="UTF-8"
> Content-Transfer-Encoding: quoted-printable
>
> Hmm, I cannot reproduce the problem on my machines as well as TNF servers..=
> .
> It would be really nice if you can construct a reproducer for root (login
> as root or
> "su -" from wheel users) with unmodified /root/.??* files.
>
> Anyway, can you try this patch?
> https://www.netbsd.org/~rin/pr57482.workaround.patch
>
> If you don't fall into infinite loop, this code block is a normal path with
> "set nu" for
> some unknown reasons.
>
> As comments in source code say, vs_refresh.c is very complicated and hard
> to debug.
> Many (most?) combinations of options have never been tested.
>
> Thanks,
> rin
>
> 2023=E5=B9=B46=E6=9C=8823=E6=97=A5(=E9=87=91) 4:25 <tlaronde@polynum.com>:
>
> > >Number: 57482
> > >Category: bin
> > >Synopsis: vi(1) crashes reproducibly with a one liner with wl=3D72
> > and ts=3D8
> > >Confidential: no
> > >Severity: non-critical
> > >Priority: low
> > >Responsible: bin-bug-people
> > >State: open
> > >Class: sw-bug
> > >Submitter-Id: net
> > >Arrival-Date: Thu Jun 22 19:25:00 +0000 2023
> > >Originator: Thierry LARONDE
> > >Release: NetBSD 10.0_BETA
> > >Organization:
> > >Environment:
> > NetBSD cauchy.polynum.local 10.0_BETA NetBSD 10.0_BETA (cauchy) #0: Mon
> > Feb 27 11:28:34 CET 2023 tlaronde@cauchy.polynum.local:/usr/obj/polynum.=
> NODECONF-cauchy.polynum.local_netbsd-9.3-amd64_netbsd-amd64/netbsd/obj/sys/=
> arch/amd64/compile/cauchy
> > amd64
> >
> > >Description:
> > vi(1) crashes reproducibly with a oneliner, when wl=3D72 and ts=3D8 are s=
> et
> > when trying to go to the end of the line with '$' or, setting ts=3D4,
> > then going to the end of line and then resetting ts=3D8.
> >
> > bt provided by Martin Husemann:
> >
> > #2 0x00000000009a54da in vs_paint (sp=3Dsp@entry=3D0x6fb6f40de000,
> > flags=3Dflags@entry=3D3) at
> > /work/src/external/bsd/nvi/dist/vi/vs_refresh.c:726
> > 726 abort(); /* XXX infinite recursion */
> > (gdb) list
> > 721 abort();
> > 722 }
> > 723 #724 if (vip->sc_smap =3D=3D NULL) {
> > 725 if (F_ISSET(sp, SC_SCR_REFORMAT))
> > 726 abort(); /* XXX infinite recursion */
> > 727 F_SET(sp, SC_SCR_REFORMAT);
> > 728 return (vs_paint(sp, flags));
> > 729 }
> > 730 #endif
> > #3 0x00000000009983de in vs_paint (sp=3Dsp@entry=3D0x6fb6f40de000, flags=
> =3D3)
> > at /work/src/external/bsd/nvi/dist/vi/vs_refresh.c:728
> > #4 0x00000000009990d5 in vs_refresh (sp=3Dsp@entry=3D0x6fb6f40de000,
> > forcepaint=3Dforcepaint@entry=3D0)
> > at /work/src/external/bsd/nvi/dist/vi/vs_refresh.c:99
> > #5 0x00000000009941e6 in vi (spp=3Dspp@entry=3D0x7f7fffe31740)
> > at /work/src/external/bsd/nvi/dist/vi/vi.c:115
> > #6 0x000000000097bdf8 in editor (wp=3Dwp@entry=3D0x6fb6f40f1000,
> > argc=3D<optimized out>, argc@entry=3D2, argv=3D<optimized out>,
> > argv@entry=3D0x7f7fffe319c8)
> > at /work/src/external/bsd/nvi/dist/common/main.c:436
> > #7 0x00000000009a5864 in main (argc=3D2, argv=3D0x7f7fffe319c8)
> > at /work/src/external/bsd/nvi/dist/cl/cl_main.c:134
> >
> > >How-To-Repeat:
> > env EXINIT=3D'set nu showmatch ts=3D8 wl=3D72' vi /tmp/vi_crasher.txt
> >
> > $ vis -w /tmp/vi_crasher.txt:
> >
> >
> > \011\011v_stack[nval].ival\040=3D\040v_stack[nval-1].ival\040+\040v_stack=
> [nval-1].len\011\012
> > >Fix:
> >
> >
>
> --000000000000c046c005fec37770
> Content-Type: text/html; charset="UTF-8"
> Content-Transfer-Encoding: quoted-printable
>
> <div dir=3D"ltr">Hmm, I cannot reproduce the problem on my machines as well=
> as TNF servers...<div>It would be really nice if you can construct a repro=
> ducer for root (login as root or</div><div>"su -" from wheel user=
> s) with unmodified /root/.??* files.</div><div><br></div><div>Anyway, can y=
> ou try this patch?</div><div><a href=3D"https://www.netbsd.org/~rin/pr57482=
> .workaround.patch">https://www.netbsd.org/~rin/pr57482.workaround.patch</a>=
> <br></div><div><br></div><div>If you don't fall into infinite loop, thi=
> s code block is a normal path with "set nu" for</div><div>some un=
> known reasons.</div><div><br></div><div>As comments in source code say, vs_=
> refresh.c is very complicated and hard to debug.</div><div>Many (most?) com=
> binations of options have never been tested.</div><div><br></div><div>Thank=
> s,</div><div>rin</div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr"=
> class=3D"gmail_attr">2023=E5=B9=B46=E6=9C=8823=E6=97=A5(=E9=87=91) 4:25 &l=
> t;<a href=3D"mailto:tlaronde@polynum.com">tlaronde@polynum.com</a>>:<br>=
> </div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;b=
> order-left:1px solid rgb(204,204,204);padding-left:1ex">>Number:=C2=A0 =
> =C2=A0 =C2=A0 =C2=A0 =C2=A057482<br>
> >Category:=C2=A0 =C2=A0 =C2=A0 =C2=A0bin<br>
> >Synopsis:=C2=A0 =C2=A0 =C2=A0 =C2=A0vi(1) crashes reproducibly with a o=
> ne liner with wl=3D72 and ts=3D8<br>
> >Confidential:=C2=A0 =C2=A0no<br>
> >Severity:=C2=A0 =C2=A0 =C2=A0 =C2=A0non-critical<br>
> >Priority:=C2=A0 =C2=A0 =C2=A0 =C2=A0low<br>
> >Responsible:=C2=A0 =C2=A0 bin-bug-people<br>
> >State:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 open<br>
> >Class:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 sw-bug<br>
> >Submitter-Id:=C2=A0 =C2=A0net<br>
> >Arrival-Date:=C2=A0 =C2=A0Thu Jun 22 19:25:00 +0000 2023<br>
> >Originator:=C2=A0 =C2=A0 =C2=A0Thierry LARONDE<br>
> >Release:=C2=A0 =C2=A0 =C2=A0 =C2=A0 NetBSD 10.0_BETA<br>
> >Organization:<br>
> >Environment:<br>
> NetBSD cauchy.polynum.local 10.0_BETA NetBSD 10.0_BETA (cauchy) #0: Mon Feb=
> 27 11:28:34 CET 2023=C2=A0 tlaronde@cauchy.polynum.local:/usr/obj/polynum.=
> NODECONF-cauchy.polynum.local_netbsd-9.3-amd64_netbsd-amd64/netbsd/obj/sys/=
> arch/amd64/compile/cauchy amd64<br>
> <br>
> >Description:<br>
> vi(1) crashes reproducibly with a oneliner, when wl=3D72 and ts=3D8 are set=
> <br>
> when trying to go to the end of the line with '$' or, setting ts=3D=
> 4,<br>
> then going to the end of line and then resetting ts=3D8.<br>
> <br>
> bt provided by Martin Husemann:<br>
> <br>
> #2=C2=A0 0x00000000009a54da in vs_paint (sp=3Dsp@entry=3D0x6fb6f40de000,<br=
> >
> =C2=A0 =C2=A0 flags=3Dflags@entry=3D3) at /work/src/external/bsd/nvi/dist/v=
> i/vs_refresh.c:726<br>
> 726=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0abort(); /* XXX infinite recursion */<br>
> (gdb) list=C2=A0 <br>
> 721=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
> =C2=A0abort();<br>
> 722=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0}=C2=A0 =C2=A0 =C2=A0 =
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<br>
> 723=C2=A0 =C2=A0 =C2=A0#724=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
> if (vip->sc_smap =3D=3D NULL) {<br>
> 725=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
> =C2=A0if (F_ISSET(sp, SC_SCR_REFORMAT))<br>
> 726=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0abort(); /* XXX infinite recursion */<br>
> 727=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
> =C2=A0F_SET(sp, SC_SCR_REFORMAT);<br>
> 728=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
> =C2=A0return (vs_paint(sp, flags));<br>
> 729=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0}<br>
> 730=C2=A0 =C2=A0 =C2=A0#endif<br>
> #3=C2=A0 0x00000000009983de in vs_paint (sp=3Dsp@entry=3D0x6fb6f40de000, fl=
> ags=3D3)<br>
> =C2=A0 =C2=A0 at /work/src/external/bsd/nvi/dist/vi/vs_refresh.c:728<br>
> #4=C2=A0 0x00000000009990d5 in vs_refresh (sp=3Dsp@entry=3D0x6fb6f40de000,<=
> br>
> =C2=A0 =C2=A0 forcepaint=3Dforcepaint@entry=3D0)<br>
> =C2=A0 =C2=A0 at /work/src/external/bsd/nvi/dist/vi/vs_refresh.c:99<br>
> #5=C2=A0 0x00000000009941e6 in vi (spp=3Dspp@entry=3D0x7f7fffe31740)<br>
> =C2=A0 =C2=A0 at /work/src/external/bsd/nvi/dist/vi/vi.c:115<br>
> #6=C2=A0 0x000000000097bdf8 in editor (wp=3Dwp@entry=3D0x6fb6f40f1000,<br>
> =C2=A0 =C2=A0 argc=3D<optimized out>, argc@entry=3D2, argv=3D<opti=
> mized out>,<br>
> =C2=A0 =C2=A0 argv@entry=3D0x7f7fffe319c8)=C2=A0 <br>
> =C2=A0 =C2=A0 at /work/src/external/bsd/nvi/dist/common/main.c:436<br>
> #7=C2=A0 0x00000000009a5864 in main (argc=3D2, argv=3D0x7f7fffe319c8)<br>
> =C2=A0 =C2=A0 at /work/src/external/bsd/nvi/dist/cl/cl_main.c:134<br>
> <br>
> >How-To-Repeat:<br>
> env EXINIT=3D'set nu showmatch ts=3D8 wl=3D72' vi /tmp/vi_crasher.t=
> xt<br>
> <br>
> $ vis -w /tmp/vi_crasher.txt:<br>
> <br>
> \011\011v_stack[nval].ival\040=3D\040v_stack[nval-1].ival\040+\040v_stack[n=
> val-1].len\011\012<br>
> >Fix:<br>
> <br>
> </blockquote></div>
>
> --000000000000c046c005fec37770--
>
--
Thierry Laronde <tlaronde +AT+ polynum +dot+ com>
http://www.kergis.com/
http://kertex.kergis.com/
Key fingerprint = 0FF7 E906 FBAF FE95 FD89 250D 52B1 AE95 6006 F40C
From: tlaronde@polynum.com
To: gnats-bugs@netbsd.org
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
Rin Okuyama <rokuyama.rk@gmail.com>
Subject: Re: bin/57482: vi(1) crashes reproducibly with a one liner with
wl=72 and ts=8
Date: Sat, 24 Jun 2023 15:18:27 +0200
Le Fri, Jun 23, 2023 at 03:20:01AM +0000, Rin Okuyama a écrit :
> The following reply was made to PR bin/57482; it has been noted by GNATS.
>
> From: Rin Okuyama <rokuyama.rk@gmail.com>
>
> Anyway, can you try this patch?
> https://www.netbsd.org/~rin/pr57482.workaround.patch
>
Applied. But still core dumps but following another path...
--
Thierry Laronde <tlaronde +AT+ polynum +dot+ com>
http://www.kergis.com/
http://kertex.kergis.com/
Key fingerprint = 0FF7 E906 FBAF FE95 FD89 250D 52B1 AE95 6006 F40C
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2023
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.