search

mawww / kakoune

mawww's experiment for a better code editor
http://kakoune.org
The Unlicense
9.93k stars 715 forks source link

[BUG][CRASH] kak -f / execute-keys crash given random sequence of keys #4472

Open kak-0 opened 2 years ago

kak-0 commented 2 years ago

Version of Kakoune

v2021.11.08-41-g6029ee98 (debug=yes)

Reproducer

kak -f crashes when given some random sequences of keys. For example:

kak -f 'o<esc><u><a-gt>U' </dev/null # Fatal error: assert failed "m_current_undo_group.empty()" at buffer.cc:310
kak -f 'o<esc><u><A>a<a-;>U' </dev/null # Fatal error: assert failed "m_current_undo_group.empty()" at buffer.cc:310
kak -f '2oK.k<c-n><ret><c-n>' </dev/null # Fatal error: assert failed "from >= 0 and from <= str_len" at string.hh:287
kak -f 'o/<c-n><up><c-n>' </dev/null # SIGSEGV
kak -f 'iab:a<c-p><home><c-p>' </dev/null # SIGSEGV
kak -f 'iab<space>a<c-p><a-;><a-h><c-n>' </dev/null # SIGSEGV
kak -f '+<a-)>iab$a<c-p><ret><c-p>' </dev/null # Fatal error: assert failed "from >= 0 and from <= str_len" at string.hh:287
kak -f 'i<tab><tab><esc><a-u>iw<esc><a-u>+@' </dev/null # Fatal error: assert failed "min >= last_min" at selection.cc:285

These key sequences (with the exception of the last one) crash execute-keys too, but they don't crash Kakoune when pressed interactively.

Outcome

Kakoune crashes.

Expectations

No response

Additional information

Kakoune must be built with debug=yes to enable assertions.

sidkshatriya commented 2 years ago

Interesting. Just curious -- were these sequences obtained from fuzzing?

kak-0 commented 2 years ago

Interesting. Just curious -- were these sequences obtained from fuzzing?

I just generated random key sequences and passed them to kak -f. I'm not familiar with dedicated fuzzing tools, but they will probably be able to find more crashes.

Here is the script I used if you're curious, but running it may be unsafe as random inputs can cause unpredictable behavior.

Screwtapello commented 2 years ago

A tool like afl++ is pretty smart; build your tool with the provided instrumenting compilers, then run your tool inside the fuzzer and it will track which specific branch instructions a given input causes, automatically dropping inputs that explore previously well-explored branches and leaping at inputs that trigger new control-flows. It also produces a directory full of input files that have caused crashes, making it easy to automate regression testing.

The downside is that it expects the tool to take the fuzzing input on stdin, and I don't think there's an easy way to hack up Kakoune's filter mode to work like that.

lenormf commented 2 years ago

Related