X-Recipient: archive-cygwin AT delorie DOT com
X-Spam-Check-By: sourceware.org
Date: Fri, 1 Jul 2011 10:36:03 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: Re: Vim segv'ing
Message-ID: <20110701083603.GM9552@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
References: <20110630072012 DOT GB9552 AT calimero DOT vinschen DOT de> <2BF01EB27B56CC478AD6E5A0A28931F202CFAFF7 AT A1DAL1SWPES19MB DOT ams DOT acs-inc DOT net> <20110630142353 DOT GH9552 AT calimero DOT vinschen DOT de> <20110630150502 DOT GJ9552 AT calimero DOT vinschen DOT de>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20110630150502.GJ9552@calimero.vinschen.de>
User-Agent: Mutt/1.5.21 (2010-09-15)
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Jun 30 17:05, Corinna Vinschen wrote:
> On Jun 30 16:23, Corinna Vinschen wrote:
> > On Jun 30 07:30, Nellis, Kenneth wrote:
> > > > From: Corinna Vinschen
> > > > Works fine for me.  If I'm admin, writing works, if I'm not admin,
> > > > writing fails with permission denied.  Could you please send your
> > > > cygcheck output per http://cygwin.com/problems.html as well as an
> > > > strace which shows what happens, like this:
> > > > 
> > > >   $ strace -o vim.trace vim-nox /etc/hosts
> > > >   :wq!
> > > 
> > > FWIW, I see the same problem as the OP. The strace command interferes
> > > with vim so that it won't recognize ESC to allow the ":" to be
> > > recognized, so I can't ":wq!" as requested. strace output nevertheless
> > > attached as is cygcheck -svr output.
> > 
> > You strace shows nothing, it just stops at one point.  Are you running
> > from a console or from mintty?  When running in a console in default
> > notty mode, :w! or :wq! works fine.  Can you try again?  Perhaps with
> > other strace flags?
> > 
> >   strace -o vim.trace -m 0xffff vim-nox /etc/hosts
> 
> I suddenly can reproduce the problem.  For some reason it occurs only if
> both, vim and the Cygwin DLL, are compiled with -O2.  Darn.  This does
> not make debugging exactly easier :-P  All I can say at this point is
> that the stack gets overwritten at one point.

FYI, I tracked it down to the place where the stack overwrite occurs.
This is most puzzeling.  When typing :wq!, the following chain of functions
is called:

  nv_colon
   do_cmdline
    ex_exit
     do_write
      open                           <- Here it calls into the Cygwin DLL
       fhandler_base::open_with_arch
        fhandler_base::open_fs
         fhandler_base::open
          NtCreateFile               <--Here it calls into NTDLL.DLL
              
The open call tries to open the backup file "/etc/hosts~", not the
symlink itself.

In the optimized version of vim, the local variable "cap" in the
function nv_colon is kept in register $esi.  When do_cmdline is called,
$esi is pushed onto the stack.  Then everything goes its normal ways,
until NtCreateFile is called.

And here's the puzzler: This call to NtCreateFile overwrites the 4 byte
stack slot in which the "cap" pointer is saved with the value 0x10c!

After return from do_cmdline, nv_colon uses cap in an expression and
since cap is a pointer value, when dereferencing the pointer, vim
crashes.

I checked this situation a couple of times in assembler.  The cap
value is fine up to the "call NtCreateFile AT 44", and it's changed to
0x10c when NtCreateFile returns.

I don't understand that.  Not only that NtCreateFile is not supposed to
change values on the stack in the stack frame 8 functions above, I also
don't know what the value 0x10c is.  It's not the HANDLE returned by
NtCreateFile, that's 0x1e4.

Well, that's it.  I just had to vent a bit since I have no idea how
to proceed at this point.  I can see and prove that the NtCreateFile
call overwrites the stack, but it's totally unlikely that NtCreateFile
would ever do that.  The OS would be broken.

Oh, and here's a last-minute surprise:  It does not happen if you run
gvim, rather than vim.  Maybe I should just give up to provide packages.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple