Problem: Vim tests are slow and flaky at the same time due to reliance
on timeouts which are unreliable.
Solution: improve Vim test performance and reduce flakiness
(Yee Cheng Chin)
A lot of Vim tests currently rely on waiting a specific amount of time
before asserting a condition. This is bad because 1) it is slow, as the
timeout is hardcoded, 2) it's unreliable as a resource-starved runner
may overshoot the timeout. Also, there are a lot of builtin sleep
commands in commonly used utilities like VerifyScreenDump and WaitFor()
which leads to a lot of unnecessary idle time.
Fix these issues by doing the following:
1. Make utilities like VerifyScreenDump and WaitFor use the lowest wait
time possible (1 ms). This essentially turns it into a spin wait. On
fast machines, these will finish very quickly. For existing tests
that had an implicit reliance on the old timeouts (e.g.
VerifyScreenDump had a 50ms wait before), fix the tests to wait that
specific amount explicitly.
2. Fix tests that sleep or wait for long amounts of time to instead
explicitly use a callback mechanism to be notified when a child
terminal job has finished. This allows the test to only take as much
time as possible instead of having to hard code an unreliable
timeout.
With these fixes, tests should 1) completely quickly on fast machines,
and 2) on slow machines they will still run to completion albeit slowly.
Note that previoulsy both were not true. The hardcoded timeouts meant
that on fast machines the tests were mostly idling wasting time, whereas
on slow machines, the timeouts often were not generous enough to allow
them to run to completion.
closes: #16615
Signed-off-by: Yee Cheng Chin <ychin.git@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: possible crash with 2-byte encoding and glob2regpat()
(after v9.1.0700, v9.1.0702)
Solution: include both bytes for a multi-byte character for an
escaped character
closes: #15590
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: crash with NFA regex engine when searching for composing chars
(SuyueGuo)
Solution: When there is no composing character, break out of the loop
and check that out1 state is not null
fixes: #15583
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: possible crash with 2byte encoding and glob2regpat()
Solution: Skip over character, if it is multi-byte character
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: tests: "Untitled" file not removed when running Test_crash1_3 alone
with TEST_FILTER (after v9.1.0695)
Solution: Use a TearDown function instead of another test.
(zeertzjq)
closes: #15578closes: #15577
Signed-off-by: zeertzjq <zeertzjq@outlook.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: tests: test_crash leaves Untitled file around
Solution: cleanup at the end of the test_crash.vim test file
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: crash with WinNewPre autocommand, because window
structures are not yet safe to use
Solution: Don't trigger WinNewPre on :tabnew
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: [security] double-free in dialog_changed()
(SuyueGuo)
Solution: Only clear pointer b_sfname pointer, if it is different
than the b_ffname pointer. Don't try to free b_fname,
set it to NULL instead.
fixes: #15403
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-46pw-v7qw-xc2f
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: [security] use-after-free in tagstack_clear_entry
(Suyue Guo )
Solution: Instead of manually calling vim_free() on each of the tagstack
entries, let's use tagstack_clear_entry(), which will
also free the stack, but using the VIM_CLEAR macro,
which prevents a use-after-free by setting those pointers
to NULL
This addresses CVE-2024-41957
Github advisory:
https://github.com/vim/vim/security/advisories/GHSA-f9cr-gv85-hcr4
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: [security]: use-after-free in check_argument_type
Solution: Reset function type pointer when freeing the function type
list
function pointer fp->uf_func_type may point to the same memory, that was
allocated for fp->uf_type_list. However, when cleaning up a function
definition (e.g. because it was invalid), fp->uf_type_list will be
freed, but fp->uf_func_type may still point to the same (now) invalid
memory address.
So when freeing the fp->uf_type_list, check if fp->func_type points to
any of those types and if it does, reset the fp->uf_func_type pointer to
the t_func_any (default) type pointer
closes: #13652
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: [security]: use-after-free in exec_instructions()
Solution: get tv pointer again
[security]: use-after-free in exec_instructions()
exec_instructions may access freed memory, if the GA_GROWS_FAILS()
re-allocates memory. When this happens, the typval tv may still point to
now already freed memory. So let's get that pointer again and compare it
with tv. If those two pointers differ, tv is now invalid and we have to
refresh the tv pointer.
closes: #13621
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: [security]: buffer-overflow in ex_substitute
Solution: clear memory after allocating
When allocating the new_start pointer in ex_substitute() the memory
pointer points to some garbage that the following for loop in
ex_cmds.c:4743 confuses and causes it to accessing the new_start pointer
beyond it's size, leading to a buffer-overlow.
So fix this by using alloc_clear() instead of alloc(), which will
clear the memory by NUL and therefore cause the loop to terminate
correctly.
Reported by @henices, thanks!
closes: #13596
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: [security]: stack-buffer-overflow in option callback functions
Solution: pass size of errbuf down the call stack, use snprintf()
instead of sprintf()
We pass the error buffer down to the option callback functions, but in
some parts of the code, we simply use sprintf(buf) to write into the error
buffer, which can overflow.
So let's pass down the length of the error buffer and use sprintf(buf, size)
instead.
Reported by @henices, thanks!
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: [security]: buffer-overflow in suggest_trie_walk
Solution: Check n before using it as index into byts array
Basically, n as an index into the byts array, can point to beyond the byts
array. So let's double check, that n is within the expected range after
incrementing it from sp->ts_curi and bail out if it would be invalid.
Reported by @henices, thanks!
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: [security]: use-after-free in win-enter
Solution: validate window pointer before calling win_enter()
win_goto() may stop visual mode, if it is active. However, this may in
turn trigger the ModeChanged autocommand, which could potentially free
the wp pointer which was valid before now became stale and points to now
freed memory.
So before calling win_enter(), let's verify one more time, that the
wp pointer still points to a valid window structure.
Reported by @henices, thanks!
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: [security]: Use-after-free in win_close()
Solution: Check window is valid, before accessing it
If the current window structure is no longer valid (because a previous
autocommand has already freed this window), fail and return before
attempting to set win->w_closing variable.
Add a test to trigger ASAN in CI
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: buffer-overflow in trunc_string()
Solution: Add NULL at end of buffer
Currently trunc_string() assumes that when the string is too long,
buf[e-1] will always be writeable. But that assumption may not always be
true. The condition currently looks like this
else if (e + 3 < buflen)
[...]
else
{
// can't fit in the "...", just truncate it
buf[e - 1] = NUL;
}
but this means, we may run into the last else clause with e still being
larger than buflen. So a buffer overflow occurs.
So instead of using `buf[e - 1]`, let's just always
truncate at `buf[buflen - 1]` which should always be writable.
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: Trailing white space in tests
Solution: Delete it
This causes test_codestyle to fail, so we need to remove it again.
Hopefully that makes the CI green again.
Note: I will start using annotated tags from now on.
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: Vim9: parsing commands with newlines wrong
Solution: Accept a '\n' for parsing lists and command arguments
closes: #13015closes: #13020
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: heap-buffer-overflow in vim_regsub_both
Solution: Disallow exchanging windows when textlock is active
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: crash with bt_quickfix1_poc when cleaning up
and EXITFREE is defined
Solution: Test if buffer is valid in a window, else close
window directly, don't try to access buffer properties
While at it, increase the crash timeout slightly, so that CI has a
chance to finish processing the test_crash() test.
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: test_crash1() fails on CI
Solution: don't run Screendump test, verify that it doesn't crash
by running it through a shell command line, testing
the exit value and concatenating success cmd using '&&'
Signed-off-by: Christian Brabandt <cb@256bit.org>
