`heap-use-after-free` with decor providers

[NobleMathews]

hashtaghashtaghashtag Problem

=================================================================
==38143==ERROR: AddressSanitizer: heap-use-after-free on address 0x000109706cd0 at pc 0x000102d4a374 bp 0x00016d5b8210 sp 0x00016d5b8208
READ of size 4 at 0x000109706cd0 thread T0
    hashtag0 0x102d4a370 in decor_providers_invoke_win decoration_provider.c:136
    hashtag1 0x102e4a160 in win_update drawscreen.c:1498
    hashtag2 0x102e41b48 in update_screen drawscreen.c:633
    hashtag3 0x103aa294c in normal_redraw normal.c:1347
    hashtag4 0x103a9fd20 in normal_check normal.c:1443
    hashtag5 0x104195ac4 in state_enter state.c:36
    hashtag6 0x103a14218 in normal_enter normal.c:508
    hashtag7 0x10369c37c in main main.c:638
    hashtag8 0x1876750dc  (<unknown module>)

0x000109706cd0 is located 16 bytes inside of 352-byte region [0x000109706cc0,0x000109706e20)
freed by thread T0 here:
    hashtag0 0x106066e28 in wrap_realloc+0x9c (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x52e28)
    hashtag1 0x1038ce9e0 in xrealloc memory.c:176
    hashtag2 0x102d508d4 in get_decor_provider decoration_provider.c:254
    hashtag3 0x102935ad0 in nvim_set_decoration_provider extmark.c:1022
    hashtag4 0x102864854 in nlua_api_nvim_set_decoration_provider lua_api_c_bindings.generated.c:2968
    hashtag5 0x10481f118 in lj_BC_FUNCC+0x28 (nvim:arm64+0x101fe3118)
    hashtag6 0x1048819cc in lj_cf_package_require lib_package.c:464
    hashtag7 0x10483552c in lua_pcall lj_api.c:1150
    hashtag8 0x10365e5d0 in nlua_typval_exec executor.c:1466
    hashtag9 0x10365ea3c in nlua_typval_call executor.c:1422
    hashtag10 0x10316f1c4 in call_func userfunc.c:1661
    hashtag11 0x10316bba4 in get_func_tv userfunc.c:552
    hashtag12 0x102f4e55c in call_func_rettv eval.c:3354
    hashtag13 0x102f4ce1c in handle_subscript eval.c:7590
    hashtag14 0x102f7d880 in eval7 eval.c:3238
    hashtag15 0x102f79648 in eval6 eval.c:2946
    hashtag16 0x102f773d8 in eval5 eval.c:2801
    hashtag17 0x102f7588c in eval4 eval.c:2676
    hashtag18 0x102f74398 in eval3 eval.c:2585
    hashtag19 0x102f11cd4 in eval2 eval.c:2507
    hashtag20 0x102efcd60 in eval1 eval.c:2411
    hashtag21 0x102ef8de8 in eval0 eval.c:2356
    hashtag22 0x102efe740 in eval_to_string eval.c:991
    hashtag23 0x102eff380 in eval_to_string_safe eval.c:1016
    hashtag24 0x1041c03b0 in build_stl_str_hl statusline.c:1450
    hashtag25 0x1041a9830 in win_redr_custom statusline.c:405
    hashtag26 0x10419f0a8 in redraw_custom_statusline statusline.c:643
    hashtag27 0x10419bbc4 in win_redr_status statusline.c:86
    hashtag28 0x102e41c78 in update_screen drawscreen.c:639
    hashtag29 0x103aa294c in normal_redraw normal.c:1347

previously allocated by thread T0 here:
    hashtag0 0x106066e28 in wrap_realloc+0x9c (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x52e28)
    hashtag1 0x1038ce9e0 in xrealloc memory.c:176
    hashtag2 0x102d508d4 in get_decor_provider decoration_provider.c:254
    hashtag3 0x102935ad0 in nvim_set_decoration_provider extmark.c:1022
    hashtag4 0x102864854 in nlua_api_nvim_set_decoration_provider lua_api_c_bindings.generated.c:2968
    hashtag5 0x10481f118 in lj_BC_FUNCC+0x28 (nvim:arm64+0x101fe3118)
    hashtag6 0x1048819cc in lj_cf_package_require lib_package.c:464
    hashtag7 0x1048819cc in lj_cf_package_require lib_package.c:464
    hashtag8 0x1048819cc in lj_cf_package_require lib_package.c:464
    hashtag9 0x1048819cc in lj_cf_package_require lib_package.c:464
    hashtag10 0x10483552c in lua_pcall lj_api.c:1150
    hashtag11 0x10365b8e0 in nlua_exec_file executor.c:1825
    hashtag12 0x103edc64c in do_source runtime.c:2219
    hashtag13 0x1036bf164 in do_user_initialization main.c:1997
    hashtag14 0x1036b46a0 in source_startup_scripts main.c:2110
    hashtag15 0x10369abbc in main main.c:439
    hashtag16 0x1876750dc  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free decoration_provider.c:136 in decor_providers_invoke_win
Shadow bytes around the buggy address:
  0x000109706a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000109706a80: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
  0x000109706b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x000109706b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x000109706c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x000109706c80: fa fa fa fa fa fa fa fa fd fd[fd]fd fd fd fd fd
  0x000109706d00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x000109706d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x000109706e00: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x000109706e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x000109706f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==38143==ABORTING

hashtaghashtaghashtag Steps to reproduce

Only partial: only included for reference

• run my config
• CC=clang make CMAKE_FLAGS="-DENABLE_ASAN_UBSAN=1"
• VIMRUNTIME=$(pwd)/runtime ./build/bin/nvim <FILE>

hashtaghashtaghashtag Neovim version (nvim -v)

NVIM v0.10.0-dev-693aea0e9

hashtaghashtaghashtag Operating system/version

macOS 14.1.1

hashtaghashtaghashtag Terminal name/version

wezterm

hashtaghashtaghashtag $TERM environment variable

wezterm

hashtaghashtaghashtag Installation

source

[mayil-ai[bot]]

Here are some code snippets that may help you get started:

• src/nvim/decoration_provider.c:1-184 | The snippet includes the definition and usage of the decor_providers vector, which is central to the heap-use-after-free issue. It requires review to ensure safe iteration and modification.

To address the heap-use-after-free error in the decor_providers_invoke_win function, follow these actionable steps:

• Prevent Vector Modification During Iteration:

  • Ensure the decor_providers vector is not modified while iterating over it in the decor_providers_invoke_win function.

• Add Validity Checks for Providers:

  • Implement checks to ensure DecorProvider objects are not accessed if they have been cleared or marked for deletion.

  void decor_providers_invoke_win(win_T *wp, DecorProviders *providers) {
  decor_state.running_decor_provider = true;
  for (size_t k = 0; k < kv_size(*providers); k++) {
    DecorProvider *p = kv_A(*providers, k);
    if (p && p->active && p->redraw_win != LUA_NOREF) {
      // Ensure provider is still valid
      if (!p->active) {
        continue;
      }
      MAXSIZE_TEMP_ARRAY(args, 3);
      ADD_C(args, WINDOW_OBJ(wp->handle));
      ADD_C(args, BUFFER_OBJ(wp->w_buffer->handle));
      ADD_C(args, INTEGER_OBJ(wp->w_cursor.lnum));
      if (!decor_provider_invoke(p, "win", p->redraw_win, args, true)) {
        // Mark provider as inactive if invocation fails
        p->active = false;
      }
    }
  }
  decor_state.running_decor_provider = false;
  }

• Handle Modifications Safely:

  • Perform any modifications to the decor_providers vector, such as resizing, outside of iteration loops.

• Use a Separate List for Deferred Actions:

  • Consider maintaining a separate list to track providers that need to be cleared or deactivated, and apply these changes after completing the iteration.

💡 To rerun Mayil, comment mayil-ai rerun. Mayil will incorporate any new context added to the ticket. Include details in your rerun comment to guide Mayil!