NetBSD Problem Report #60177
From mouse@Stone.Rodents-Montreal.ORG Mon Apr 6 00:41:32 2026
Return-Path: <mouse@Stone.Rodents-Montreal.ORG>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "mail.netbsd.org", Issuer "R12" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 95E711A9239
for <gnats-bugs@www46.NetBSD.org>; Mon, 6 Apr 2026 00:41:32 +0000 (UTC)
Message-Id: <202604060041.UAA25864@Stone.Rodents-Montreal.ORG>
Date: Sun, 5 Apr 2026 20:41:24 -0400 (EDT)
From: Mouse <mouse@Rodents-Montreal.ORG>
Reply-To: mouse@Rodents-Montreal.ORG
To: gnats-bugs@www46.NetBSD.org
Subject: vi crash when using cedit
X-Send-Pr-Version: 3.95
X-From4GNATS: "Mouse via gnats" <gnats-admin@NetBSD.org>
>Number: 60177
>Category: bin
>Synopsis: vi crash when using cedit
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Apr 06 00:45:00 +0000 2026
>Last-Modified: Thu Apr 09 07:05:00 +0000 2026
>Originator: Mouse
>Release: NetBSD 9.1
>Organization:
Dis-
>Environment:
First seen by an IRC acquaintance on, according to them, 10.1/amd64; I
have not personally verified that. I have verified it present on
9.1/amd64, 5.2/amd64, 5.2/i386, and 5.2/shark. Does not occur (at
least not with this how-to-repeat) on 1.4T/sparc, 1.4T/i386, or
4.0.1/i386. On 1.4T and 4.0.1, vi was modified by renaming vi-internal
O_* symbols to o_* (motivated by collisions with O_DIRECTORY, which I
introduced separately) and removing trailing whitespace from source
code, but was otherwise unmodified. On 5.2, vi was unmodified except
for trailing whitespace removal. 9.1 vi was unmodified except for
removing all CVS directories. I don't *know*, but I feel moderately
sure the 10.1 vi was totally stock.
>Description:
vi crashes upon a specific input sequence (invoking cedit
support). See How-To-Repeat.
Given how longstanding this is, it clearly is not a problem for
very many people, which is why I'm classifying it as low
priority. Please reclassify if/as appropriate.
>How-To-Repeat:
My test case is, as a user with no ~/.exrc, type these
characters (starting at a shell prompt). I'm giving hexdump
output to be completely unambiguous:
00000000 76 69 0a 69 0a 1b 3a 73 65 74 20 63 65 64 69 74 |vi.i..:set cedit|
00000010 3d 16 12 0a 3a 12 |=...:.|
00000016
Representing control characters with ^ notation, this means
typing
vi
i
^[:set cedit=^V^R
:^R
The crash occurs shortly after the last ^R is typed. On slow
machines (eg, the shark), the delay can be human-perceptible;
on fast machines, such as multi-GHz amd64, it appears instant
to me. Under 5.2, vi dies with a SIGSEGV; on 9.1, SIGABRT. My
IRC correspondent reports "Abort trap" on 10.1, so presumably
SIGABRT there too.
My $TERM was mterm. Under 5.2/amd64 (I haven't checked
others), it also occurs with $TERM set to vt100 or window-v2.
My lnext setting was 0x16 (^V); I have not investigated whether
changing that affects the above in any way.
Looking at the core under 5.2, it appeared to be due to
vs_paint() recursing enough to run the process out of stack.
Manual binary search in gdb ("frame N" for various N) let me
discover that the stack was 7670 frames deep, with $sp in the
top frame being 0x7f7fffffd7a0 but in the bottom (crashing)
frame 0x7f7fffdffff0; proc.$$.rlimit.stacksize.soft in the
invoking shell prints 2097152, which is 0x200000, which matches
well enough with the $sp values to make me reasonably confident
the crash symptom is indeed due to stack exhaustion. The
bottom few frames are
#0 0x00007f7ffdc19dfa in _cursesi_addwchar () from /usr/lib/libcurses.so.6
#1 0x00007f7ffdc1a6eb in __waddbytes () from /usr/lib/libcurses.so.6
#2 0x0000000000405fbf in addstr4 ()
#3 0x0000000000440859 in vs_line ()
#4 0x0000000000442a3f in vs_paint ()
#5 0x00000000004435ab in vs_paint ()
#6 0x00000000004435ab in vs_paint ()
and the top few are
#7664 0x00000000004435ab in vs_paint ()
#7665 0x00000000004435ab in vs_paint ()
#7666 0x00000000004435ab in vs_paint ()
#7667 0x000000000044412f in vs_refresh ()
#7668 0x000000000043f713 in vi ()
#7669 0x0000000000427df7 in editor ()
#7670 0x00000000004068fe in main ()
I didn't check all 7657 intermediate frames to be sure they're
all vs_paint, but the bottom two thousand, except for the
bottom four, are, and all the ones I probed in my manual binary
search are, so I'm moderately confident they all are.
>Fix:
Unknown. I haven't looked at the code at all; because I don't
use cedit myself, fixing it is relatively low priority for me.
>Audit-Trail:
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/60177: vi crash when using cedit
Date: Mon, 6 Apr 2026 13:22:13 +0200
It is reproducable on -current:
#0 0xf2c87a9c in _lwp_kill () from /usr/lib/libc.so.12
No symbol table info available.
#1 0xf2c87a14 in raise (s=s@entry=6) at /work/src/lib/libc/gen/raise.c:48
No locals.
#2 0xf2c90484 in abort () at /work/src/lib/libc/stdlib/abort.c:74
mask = {__bits = {4294967263, 4294967295, 4294967295, 4294967295}}
#3 0x0aa426f0 in vs_paint (sp=sp@entry=0xf2a1cc00, flags=flags@entry=3)
at /work/src/external/bsd/nvi/dist/vi/vs_refresh.c:726
gp = <optimized out>
smp = <optimized out>
tmp = {lno = 1, coff = 0, soff = 1, c_sboff = 4294282744,
c_eboff = 4073955844, c_scoff = 242 'ò', c_eclen = 161 '¡',
c_ecsize = 204 'Ì'}
vip = 0xf2a3a400
lastline = 0
lcnt = <optimized out>
cwtotal = <optimized out>
cnt = <optimized out>
len = 4070689792
notused = 4074455640
off = <optimized out>
y = 4294967295
chlen = <optimized out>
ch = <optimized out>
didpaint = <optimized out>
isempty = -684736
leftright_warp = <optimized out>
p = 0xf2a1ce28 L"\xf2db4258\xf28044c0"
#4 0x0aa428c8 in vs_refresh (sp=sp@entry=0xf2a1cc00,
forcepaint=forcepaint@entry=1)
at /work/src/external/bsd/nvi/dist/vi/vs_refresh.c:99
gp = 0xf2d94000
tsp = <optimized out>
need_refresh = <optimized out>
priv_paint = <optimized out>
pub_paint = <optimized out>
#5 0x0aa3d6b0 in vi (spp=spp@entry=0xfff5903c)
at /work/src/external/bsd/nvi/dist/vi/vi.c:410
gp = 0xf2d94000
wp = 0xf2a48000
abst = {lno = 0, cno = 16777218}
next = 0x0
sp = 0xf2a1cc00
cmd = {key = 58, buffer = 0, character = 0, count = 0, count2 = 0,
ev = {q = {tqe_next = 0x0, tqe_prev = 0x0}, e_event = E_CHARACTER,
e_ipcom = 0, e_c = 58, e_value = K_COLON, e_val1 = 0, e_val2 = 0,
e_val3 = 0, e_val4 = 0, e_str1 = 0x0, e_len1 = 0, e_str2 = 0x0,
e_len2 = 0}, kp = 0xaa7dd20 <vikeys+928>, rkp = 0x0, flags = 32,
m_start = {lno = 2, cno = 0}, m_stop = {lno = 2, cno = 0},
m_final = {lno = 2, cno = 0}}
vp = 0xfff58df8
vip = 0xf2a3a400
comcount = 0
mapped = 0
rval = 0
ret = <optimized out>
ret = <optimized out>
#6 0x0aa21e6c in editor (wp=wp@entry=0xf2a48000, argc=<optimized out>,
argc@entry=1, argv=<optimized out>, argv@entry=0xfff59114)
at /work/src/external/bsd/nvi/dist/common/main.c:436
p = <optimized out>
ev = {q = {tqe_next = 0x0, tqe_prev = 0x0}, e_event = E_NOTUSED,
e_ipcom = 0, e_c = -682423, e_value = 4294283416,
e_val1 = 4294285770, e_val2 = 4070785024, e_val3 = 4294283352,
e_val4 = 4074323968,
e_str1 = 0xaa80e34 <__sigblockset> L"\x8004003",
e_len1 = 4073956064, e_str2 = 0x0, e_len2 = 4294283416}
frp = <optimized out>
sp = 0xf2a1c000
gp = 0xf2d94000
len = 0
flags = <optimized out>
ch = <optimized out>
flagchk = <optimized out>
lflag = <optimized out>
secure = <optimized out>
startup = 1
readonly = <optimized out>
rval = <optimized out>
silent = <optimized out>
gtags = <optimized out>
tag_f = <optimized out>
wsizearg = <optimized out>
path = "ÿÿÿÿÿõ\217lò«Op\000\000\fàø:ä\000òá(\000ÿõ\217Pø8Éä\n\237\023]ÿõ\217\214\n\237\t\020òá(\000\003\220q k\264q\212ÿõ\217Pø8Éä\005\033L<ÿõ\226Iÿõ\217Pÿõ\231Êòª\000\000\000)3\250\000\000/X\000\000\003òø:á\270òá(\000ÿõ\217\220ø8\031À\n\237\000\000\000\t\004È\000\000\001°\000\000\000$ø:á\270òá(\000ÿõ\217°ÿõ\231Êò£@\000ÿõ\220XòÙ@\000\n\250\0164òÓ¢à\000\000\000\000ÿõ\2200ø8!èò£@\000(\000\002$òÈzÐ\000\000\037\220\000\000\000\001ÿõ\220X"...
w = 0xfff59050 L""
wlen = 4294285770
err = <optimized out>
done = <optimized out>
#7 0x0aa51d90 in main (argc=1, argv=0xfff59114)
at /work/src/external/bsd/nvi/dist/cl/cl_main.c:134
reenter = 1
clp = 0xf2a34000
gp = 0xf2d94000
wp = 0xf2a48000
rows = 24
cols = 80
rval = <optimized out>
p_av = <optimized out>
t_av = <optimized out>
ttype = 0xfff599ca "rxvt"
From: RVP <rvp@SDF.ORG>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/60177: vi crash when using cedit
Date: Thu, 9 Apr 2026 07:03:51 +0000 (UTC)
On Mon, 6 Apr 2026, Mouse via gnats wrote:
> Representing control characters with ^ notation, this means
> typing
>
> vi
> i
> ^[:set cedit=^V^R
> :^R
>
> The crash occurs shortly after the last ^R is typed.
>
The crash only seems to happen when:
1. You invoke `cedit' on the 2nd line;
2. and, only if the `cedit' buffer is empty--not otherwise.
Here're 2 patches to address this. The first is mine (which I of course prefer);
the other is from nvi2 (to keep these two nvi code-bases sort-of in sync--the
latest nvi code [https://repo.or.cz/nvi.git] crashes too).
---START patch 1---
diff -urN src/external/bsd/nvi.orig/dist/vi/vs_split.c src/external/bsd/nvi/dist/vi/vs_split.c
--- src/external/bsd/nvi.orig/dist/vi/vs_split.c 2014-01-26 21:43:45.000000000 +0000
+++ src/external/bsd/nvi/dist/vi/vs_split.c 2026-04-09 06:36:10.634190374 +0000
@@ -72,7 +72,7 @@
CALLOC(sp, _HMAP(new), SMAP *, SIZE_HMAP(sp), sizeof(SMAP));
if (_HMAP(new) == NULL)
return (1);
- _HMAP(new)->lno = sp->lno;
+ _HMAP(new)->lno = 0;
_HMAP(new)->coff = 0;
_HMAP(new)->soff = 1;
---END patch 1---
---START patch 2---
>From nvi2:
https://github.com/lichray/nvi2/commit/3c7a9a74038f593ab4a437cfe8f791092a796b1e
diff -urN src/external/bsd/nvi.orig/dist/vi/vs_refresh.c src/external/bsd/nvi/dist/vi/vs_refresh.c
--- src/external/bsd/nvi.orig/dist/vi/vs_refresh.c 2018-04-10 12:44:41.000000000 +0000
+++ src/external/bsd/nvi/dist/vi/vs_refresh.c 2026-04-09 06:46:38.124130868 +0000
@@ -315,7 +315,8 @@
if (vs_sm_1down(sp))
return (1);
goto adjust;
- }
+ } else
+ goto top; /* XXX No such line. */
/*
* If less than a half screen from the bottom of the file,
---END patch 2---
-RVP
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2026
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home