From yar@FreeBSD.org  Wed Aug  2 08:50:55 2006
Return-Path: <yar@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 20AAB16A4E0
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  2 Aug 2006 08:50:55 +0000 (UTC)
	(envelope-from yar@FreeBSD.org)
Received: from sledge.freebsd.org (sledge.freebsd.org [216.136.204.103])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C426243D80
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  2 Aug 2006 08:50:47 +0000 (GMT)
	(envelope-from yar@FreeBSD.org)
Received: from sledge.freebsd.org (localhost [127.0.0.1])
	by sledge.freebsd.org (8.13.7/8.13.7) with ESMTP id k728olrY004762
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 2 Aug 2006 08:50:47 GMT
	(envelope-from yar@sledge.freebsd.org)
Received: (from yar@localhost)
	by sledge.freebsd.org (8.13.7/8.13.6/Submit) id k728olJU004761;
	Wed, 2 Aug 2006 08:50:47 GMT
	(envelope-from yar)
Message-Id: <200608020850.k728olJU004761@sledge.freebsd.org>
Date: Wed, 2 Aug 2006 08:50:47 GMT
From: Yar Tikhiy <yar@comp.chem.msu.su>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: vi(1) can crash in ncurses(3) on amd64
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         101248
>Category:       amd64
>Synopsis:       vi(1) can crash in ncurses(3) on amd64
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    rafan
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 02 09:00:28 GMT 2006
>Closed-Date:    Wed Jun 06 02:23:37 GMT 2007
>Last-Modified:  Wed Jun  6 02:30:03 GMT 2007
>Originator:     Yar Tikhiy
>Release:        FreeBSD 7.0-CURRENT amd64
>Organization:
None
>Environment:
System: FreeBSD sledge.freebsd.org 7.0-CURRENT FreeBSD 7.0-CURRENT #741: Tue Aug 1 14:17:00 UTC 2006 root@sledge.freebsd.org:/h/src/sys/amd64/compile/SLEDGE amd64

>Description:
	If a +N command line option is given to vi(1) on amd64,
	where N is greater than the actual number of lines in the
	file to edit, vi(1) will crash on signal 11 reproducably.
	The stack trace indicates that the crash happened in a
	ncurses(3) function, but it isn't evident yet where the
	bug itself lurks (vi may pass bogus data to ncurses.)

	The problem won't reproduce on ia64 or i386.

>How-To-Repeat:
	In the following typescript, vi(1) was built with debugging symbols.

-bash-2.05b$ yes | head -100 > 100.txt
-bash-2.05b$ ./nvi +101 100.txt
Segmentation fault: 11 (core dumped)
-bash-2.05b$ gdb nvi nvi.core
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...
Core was generated by `nvi'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libncurses.so.6...done.
Loaded symbols for /lib/libncurses.so.6
Reading symbols from /lib/libc.so.7...done.
Loaded symbols for /lib/libc.so.7
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
#0  0x00000008006bc1f8 in tputs () from /lib/libncurses.so.6
(gdb) where
#0  0x00000008006bc1f8 in tputs () from /lib/libncurses.so.6
#1  0x0000000000405223 in cl_screen (sp=0x800e72000, flags=1)
    at /h/scratch/yar/src/usr.bin/vi/../../contrib/nvi/cl/cl_screen.c:114
#2  0x0000000000429f20 in ex_init (sp=0x800e72000) at /h/scratch/yar/src/usr.bin/vi/../../contrib/nvi/ex/ex_util.c:164
#3  0x000000000043bf77 in vs_msg (sp=0x800e72000, mtype=M_ERR,
    line=0x800e12400 "-c option, 1: Illegal address: only 100 lines in the file\n", len=58)
    at /h/scratch/yar/src/usr.bin/vi/../../contrib/nvi/vi/vs_msg.c:287
#4  0x000000000040d7ec in msgq (sp=0x800e72000, mt=M_ERR, fmt=0x44432c "Illegal address: only %lu lines in the file")
    at /h/scratch/yar/src/usr.bin/vi/../../contrib/nvi/common/msg.c:345
#5  0x000000000041492d in ex_badaddr (sp=0x800e72000, cp=0x1, ba=4294967295, nret=6)
    at /h/scratch/yar/src/usr.bin/vi/../../contrib/nvi/ex/ex.c:2324
#6  0x0000000000417f28 in ex_cmd (sp=0x800e72000) at /h/scratch/yar/src/usr.bin/vi/../../contrib/nvi/ex/ex.c:1065
#7  0x000000000040c4a5 in editor (gp=0x800e01000, argc=3, argv=0x7fffffffebf0)
    at /h/scratch/yar/src/usr.bin/vi/../../contrib/nvi/common/main.c:398
#8  0x0000000000404663 in main (argc=3, argv=0x7fffffffebe0)
    at /h/scratch/yar/src/usr.bin/vi/../../contrib/nvi/cl/cl_main.c:148
(gdb) q

>Fix:
>Release-Note:
>Audit-Trail:

From: Roland Smith <rsmith@xs4all.nl>
To: Yar Tikhiy <yar@comp.chem.msu.su>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: amd64/101248: vi(1) can crash in ncurses(3) on amd64
Date: Wed, 2 Aug 2006 11:27:05 +0200

 --zYM0uCDKw75PZbzx
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 I could not reproduce this crash on 6-STABLE amd64 (FreeBSD slackbox.xs4all=
 =2Enl 6.1-STABLE FreeBSD 6.1-STABLE #0: Tue May  9 22:46:51 CEST 2006     r=
 smith@slackbox.xs4all.nl:/usr/obj/usr/src/sys/RFS  amd64):
 
 slackbox:~$ yes | head -100 > 100.txt
 slackbox:~$ nvi +101 100.txt=20
 
 -c option, 1: Illegal address: only 100 lines in the file
 Press Enter to continue:=20
 
 Note that this is the standard nvi, not a debugging version.
 
 Roland
 --=20
 R.F.Smith                                   http://www.xs4all.nl/~rsmith/
 [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
 pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
 
 --zYM0uCDKw75PZbzx
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.5 (FreeBSD)
 
 iD8DBQFE0G/pEnfvsMMhpyURAvOjAJ0SdJcKaURPih56rgfci5A4poeSBACgnx14
 R9rXtVREjjQvLnYudU/14sk=
 =J7tA
 -----END PGP SIGNATURE-----
 
 --zYM0uCDKw75PZbzx--

From: Yar Tikhiy <yar@comp.chem.msu.su>
To: Roland Smith <rsmith@xs4all.nl>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: amd64/101248: vi(1) can crash in ncurses(3) on amd64
Date: Wed, 2 Aug 2006 13:37:42 +0400

 On Wed, Aug 02, 2006 at 11:27:05AM +0200, Roland Smith wrote:
 > On Wed, Aug 02, 2006 at 08:50:47AM +0000, Yar Tikhiy wrote:
 > 
 > I could not reproduce this crash on 6-STABLE amd64 (FreeBSD slackbox.xs4all.nl 6.1-STABLE FreeBSD 6.1-STABLE #0: Tue May  9 22:46:51 CEST 2006     rsmith@slackbox.xs4all.nl:/usr/obj/usr/src/sys/RFS  amd64):
 
 Indeed, this problem doesn't manifest itself in STABLE -- I forgot
 to tell this.  Thanks for adding this to the audit trail!
 
 > slackbox:~$ yes | head -100 > 100.txt
 > slackbox:~$ nvi +101 100.txt 
 > 
 > -c option, 1: Illegal address: only 100 lines in the file
 > Press Enter to continue: 
 > 
 > Note that this is the standard nvi, not a debugging version.
 
 /usr/bin/vi crashes, too, when the problem is there, i.e., in CURRENT.
 I used a debugging version just to make the stack trace look more
 clear.
 
 -- 
 Yar

From: "Andrew Pantyukhin" <infofarmer@FreeBSD.org>
To: "Yar Tikhiy" <yar@comp.chem.msu.su>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: amd64/101248: vi(1) can crash in ncurses(3) on amd64
Date: Tue, 27 Mar 2007 12:44:41 +0400

 I see this crash on latest CURRENT/amd64 when trying to
 go into ex mode (Shift-Q).
Responsible-Changed-From-To: freebsd-amd64->rafan 
Responsible-Changed-By: rafan 
Responsible-Changed-When: Tue Jun 5 16:03:14 UTC 2007 
Responsible-Changed-Why:  
I have a patch for this one. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=101248 
State-Changed-From-To: open->closed 
State-Changed-By: rafan 
State-Changed-When: Wed Jun 6 02:23:36 UTC 2007 
State-Changed-Why:  
Fix committed to CURRNET. As this problem does not show on STABLE, I 
won't MFC this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=101248 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: amd64/101248: commit references a PR
Date: Wed,  6 Jun 2007 02:23:13 +0000 (UTC)

 rafan       2007-06-06 02:23:04 UTC
 
   FreeBSD src repository
 
   Modified files:
     contrib/nvi/cl       cl_screen.c 
   Log:
   - Fix crash with ncurses on FreeBSD/amd64 CURRENT by including missing
     header <term.h>, which is required by both tputs() and tgoto().
   
     Without this header, nvi crashes with the call to tputs() at line 114.
     This is because the first argument of tputs() is a pointer, and the
     returned pointer from tgoto() is casted to an integer by compiler.
   
     For some reasons, this only crashes on amd64+CURRENT. On 6.x system,
     this does not happen.
   
   PR:             101248
   Reported by:    yar, infofarmer, Roland Smith
   Tested by:      infofarmer, delphij, rafan
   Approved by:    delphij (mentor)
   
   Revision  Changes    Path
   1.3       +1 -0      src/contrib/nvi/cl/cl_screen.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
