mirror of
https://github.com/neovim/neovim.git
synced 2026-01-17 10:38:57 +10:00
c6fe06bbc0
ui_bridge:ui_bridge_stop() calls ui_detach_impl() last, so the check for ui_active() in ui:ui_refresh() doesn't help: tui_main() already freed the `ui` object. There is a race between ui_bridge_stop (thread T0) and tui_main (thread T1). UIBridgeData.stopped could be set while ui_bridge_stop() is in the middle of loop_poll_events(), which may invoke tui_scheduler() on T0. The pointers in tui_scheduler() may be invalid by then. Solution(?): Use the `UI.data` field as a "stopped" flag and check it in tui_scheduler(). ASAN use-after-free report observed in #7908: = ==20066==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000000cd0 at pc 0x00000182abed bp 0x7ffe23b07070 sp 0x7ffe23b07068 = READ of size 8 at 0x611000000cd0 thread T0 = 0 0x182abec in tui_scheduler /home/travis/build/neovim/neovim/src/nvim/tui/tui.c:393:23 = 1 0x1876afd in ui_bridge_update_fg /home/travis/build/neovim/neovim/build/src/nvim/auto/ui_events_bridge.generated.h:205:3 = 2 0x186c130 in ui_resize /home/travis/build/neovim/neovim/src/nvim/ui.c:310:3 = 3 0x146b9c2 in screen_resize /home/travis/build/neovim/neovim/src/nvim/screen.c:7483:3 = 4 0x186a6f0 in ui_refresh /home/travis/build/neovim/neovim/src/nvim/ui.c:284:3 = 5 0x186bbe0 in ui_refresh_event /home/travis/build/neovim/neovim/src/nvim/ui.c:297:3 = 6 0xa2219a in multiqueue_process_events /home/travis/build/neovim/neovim/src/nvim/event/multiqueue.c:150:7 = 7 0xa1bd7f in loop_poll_events /home/travis/build/neovim/neovim/src/nvim/event/loop.c:63:3 = 8 0x1872709 in ui_bridge_stop /home/travis/build/neovim/neovim/src/nvim/ui_bridge.c:121:5 = 9 0x1864247 in ui_builtin_stop /home/travis/build/neovim/neovim/src/nvim/ui.c:143:3 = 10 0x1249ec8 in mch_exit /home/travis/build/neovim/neovim/src/nvim/os_unix.c:140:3 = 11 0xe56ba9 in getout /home/travis/build/neovim/neovim/src/nvim/main.c:671:3 = 12 0xfc4c8f in preserve_exit /home/travis/build/neovim/neovim/src/nvim/misc1.c:2653:3 = 13 0x1247c02 in deadly_signal /home/travis/build/neovim/neovim/src/nvim/os/signal.c:137:3 = 14 0x1247921 in on_signal /home/travis/build/neovim/neovim/src/nvim/os/signal.c:162:9 = 15 0xa35618 in signal_event /home/travis/build/neovim/neovim/src/nvim/event/signal.c:47:3 = 16 0xa2219a in multiqueue_process_events /home/travis/build/neovim/neovim/src/nvim/event/multiqueue.c:150:7 = 17 0xa1bd7f in loop_poll_events /home/travis/build/neovim/neovim/src/nvim/event/loop.c:63:3 = 18 0x1237bd6 in input_poll /home/travis/build/neovim/neovim/src/nvim/os/input.c:349:3 = 19 0x123334f in inbuf_poll /home/travis/build/neovim/neovim/src/nvim/os/input.c:372:24 = 20 0x123316d in os_inchar /home/travis/build/neovim/neovim/src/nvim/os/input.c:110:19 = 21 0x170d20e in state_enter /home/travis/build/neovim/neovim/src/nvim/state.c:55:13 = 22 0xbd7441 in command_line_enter /home/travis/build/neovim/neovim/src/nvim/ex_getln.c:384:3 = 23 0xbd0a60 in getcmdline /home/travis/build/neovim/neovim/src/nvim/ex_getln.c:1920:10 = 24 0xbdb365 in getexline /home/travis/build/neovim/neovim/src/nvim/ex_getln.c:2100:10 = 25 0xb00a6b in do_cmdline /home/travis/build/neovim/neovim/src/nvim/ex_docmd.c:528:47 = 26 0x10a7837 in nv_colon /home/travis/build/neovim/neovim/src/nvim/normal.c:4552:18 = 27 0x1091e15 in normal_execute /home/travis/build/neovim/neovim/src/nvim/normal.c:1136:3 = 28 0x170d439 in state_enter /home/travis/build/neovim/neovim/src/nvim/state.c:67:26 = 29 0x104ee14 in normal_enter /home/travis/build/neovim/neovim/src/nvim/normal.c:466:3 = 30 0xe4295c in main /home/travis/build/neovim/neovim/src/nvim/main.c:572:3 = 31 0x2b2ba340bf44 in __libc_start_main /build/eglibc-ripdx6/eglibc-2.19/csu/libc-start.c:287 = 32 0x44d24b in _start (/home/travis/build/neovim/neovim/build/bin/nvim+0x44d24b) = = 0x611000000cd0 is located 16 bytes inside of 240-byte region [0x611000000cc0,0x611000000db0) = freed by thread T1 here: = 0 0x4ee0e2 in __interceptor_free /local/mnt/workspace/tmp/ubuntu_rel/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3 = 1 0xf4f6d4 in xfree /home/travis/build/neovim/neovim/src/nvim/memory.c:133:3 = 2 0x182a963 in tui_main /home/travis/build/neovim/neovim/src/nvim/tui/tui.c:383:3 = 3 0x18792b0 in ui_thread_run /home/travis/build/neovim/neovim/src/nvim/ui_bridge.c:106:3 = 4 0x2b2ba2697183 in start_thread /build/eglibc-ripdx6/eglibc-2.19/nptl/pthread_create.c:312 = = previously allocated by thread T0 here: = 0 0x4ee61a in calloc /local/mnt/workspace/tmp/ubuntu_rel/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:76:3 = 1 0xf4f787 in xcalloc /home/travis/build/neovim/neovim/src/nvim/memory.c:147:15 = 2 0x182000a in tui_start /home/travis/build/neovim/neovim/src/nvim/tui/tui.c:127:12 = 3 0x1863f7c in ui_builtin_start /home/travis/build/neovim/neovim/src/nvim/ui.c:125:3 = 4 0xe41bb9 in main /home/travis/build/neovim/neovim/src/nvim/main.c:457:5 = 5 0x2b2ba340bf44 in __libc_start_main /build/eglibc-ripdx6/eglibc-2.19/csu/libc-start.c:287 = = Thread T1 created by T0 here: = 0 0x4d774d in __interceptor_pthread_create /local/mnt/workspace/tmp/ubuntu_rel/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:317:3 = 1 0x1aae6b0 in uv_thread_create /home/travis/nvim-deps/build/src/libuv/src/unix/thread.c:75 = 2 0x18217fa in tui_start /home/travis/build/neovim/neovim/src/nvim/tui/tui.c:159:10 = 3 0x1863f7c in ui_builtin_start /home/travis/build/neovim/neovim/src/nvim/ui.c:125:3 = 4 0xe41bb9 in main /home/travis/build/neovim/neovim/src/nvim/main.c:457:5 = 5 0x2b2ba340bf44 in __libc_start_main /build/eglibc-ripdx6/eglibc-2.19/csu/libc-start.c:287 --- Alternative attempt: commit 6ad9c02491606a0c31e907f38c9931f324327aa5 Author: Justin M. Keyes <justinkz@gmail.com> Date: Sat Jan 27 15:12:58 2018 +0100 tui: fix use-after-free: swap in empty scheduler This should make life easier for UIs like VimR which implement their own in-process bridged UI: they don't need to worry that their `scheduler` might receive an invalid pointer. To avoid that, ui_bridge_stopped() swaps in an empty scheduler. Note that this requires the call to loop_poll_events() to be moved into the critical section. diff --git a/src/nvim/ui_bridge.c b/src/nvim/ui_bridge.c index 779585416f80..491052d19d3b 100644 --- a/src/nvim/ui_bridge.c +++ b/src/nvim/ui_bridge.c @@ -93,10 +93,18 @@ UI *ui_bridge_attach(UI *ui, ui_main_fn ui_main, event_scheduler scheduler) return &rv->bridge; } +static void ui_bridge_null_scheduler(Event event, void *d) +{ + WLOG("ignoring event (bridge stopped)"); +} + void ui_bridge_stopped(UIBridgeData *bridge) { uv_mutex_lock(&bridge->mutex); bridge->stopped = true; + // Replace with an empty scheduler, so that the UI internal scheduler does + // not get invoked with an invalid pointer. #7922 + bridge->scheduler = ui_bridge_null_scheduler; uv_mutex_unlock(&bridge->mutex); } @@ -111,14 +119,11 @@ static void ui_bridge_stop(UI *b) UIBridgeData *bridge = (UIBridgeData *)b; bool stopped = bridge->stopped = false; UI_BRIDGE_CALL(b, stop, 1, b); - for (;;) { + while (!stopped) { uv_mutex_lock(&bridge->mutex); stopped = bridge->stopped; - uv_mutex_unlock(&bridge->mutex); - if (stopped) { - break; - } loop_poll_events(&main_loop, 10); // Process one event (at most). + uv_mutex_unlock(&bridge->mutex); } uv_thread_join(&bridge->ui_thread); uv_mutex_destroy(&bridge->mutex);
276 lines
7.6 KiB
C
276 lines
7.6 KiB
C
// This is an open source non-commercial project. Dear PVS-Studio, please check
|
|
// it. PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
|
|
|
|
#include <assert.h>
|
|
#include <stddef.h>
|
|
#include <stdint.h>
|
|
#include <stdbool.h>
|
|
|
|
#include "nvim/vim.h"
|
|
#include "nvim/ui.h"
|
|
#include "nvim/memory.h"
|
|
#include "nvim/map.h"
|
|
#include "nvim/msgpack_rpc/channel.h"
|
|
#include "nvim/api/ui.h"
|
|
#include "nvim/api/private/defs.h"
|
|
#include "nvim/api/private/helpers.h"
|
|
#include "nvim/popupmnu.h"
|
|
#include "nvim/cursor_shape.h"
|
|
|
|
#ifdef INCLUDE_GENERATED_DECLARATIONS
|
|
# include "api/ui.c.generated.h"
|
|
# include "ui_events_remote.generated.h"
|
|
#endif
|
|
|
|
typedef struct {
|
|
uint64_t channel_id;
|
|
Array buffer;
|
|
} UIData;
|
|
|
|
static PMap(uint64_t) *connected_uis = NULL;
|
|
|
|
void remote_ui_init(void)
|
|
FUNC_API_NOEXPORT
|
|
{
|
|
connected_uis = pmap_new(uint64_t)();
|
|
}
|
|
|
|
void remote_ui_disconnect(uint64_t channel_id)
|
|
FUNC_API_NOEXPORT
|
|
{
|
|
UI *ui = pmap_get(uint64_t)(connected_uis, channel_id);
|
|
if (!ui) {
|
|
return;
|
|
}
|
|
UIData *data = ui->data;
|
|
api_free_array(data->buffer); // Destroy pending screen updates.
|
|
pmap_del(uint64_t)(connected_uis, channel_id);
|
|
xfree(ui->data);
|
|
ui->data = NULL; // Flag UI as "stopped".
|
|
ui_detach_impl(ui);
|
|
xfree(ui);
|
|
}
|
|
|
|
void nvim_ui_attach(uint64_t channel_id, Integer width, Integer height,
|
|
Dictionary options, Error *err)
|
|
FUNC_API_SINCE(1) FUNC_API_REMOTE_ONLY
|
|
{
|
|
if (pmap_has(uint64_t)(connected_uis, channel_id)) {
|
|
api_set_error(err, kErrorTypeException, "UI already attached for channel");
|
|
return;
|
|
}
|
|
|
|
if (width <= 0 || height <= 0) {
|
|
api_set_error(err, kErrorTypeValidation,
|
|
"Expected width > 0 and height > 0");
|
|
return;
|
|
}
|
|
UI *ui = xcalloc(1, sizeof(UI));
|
|
ui->width = (int)width;
|
|
ui->height = (int)height;
|
|
ui->rgb = true;
|
|
ui->resize = remote_ui_resize;
|
|
ui->clear = remote_ui_clear;
|
|
ui->eol_clear = remote_ui_eol_clear;
|
|
ui->cursor_goto = remote_ui_cursor_goto;
|
|
ui->mode_info_set = remote_ui_mode_info_set;
|
|
ui->update_menu = remote_ui_update_menu;
|
|
ui->busy_start = remote_ui_busy_start;
|
|
ui->busy_stop = remote_ui_busy_stop;
|
|
ui->mouse_on = remote_ui_mouse_on;
|
|
ui->mouse_off = remote_ui_mouse_off;
|
|
ui->mode_change = remote_ui_mode_change;
|
|
ui->set_scroll_region = remote_ui_set_scroll_region;
|
|
ui->scroll = remote_ui_scroll;
|
|
ui->highlight_set = remote_ui_highlight_set;
|
|
ui->put = remote_ui_put;
|
|
ui->bell = remote_ui_bell;
|
|
ui->visual_bell = remote_ui_visual_bell;
|
|
ui->update_fg = remote_ui_update_fg;
|
|
ui->update_bg = remote_ui_update_bg;
|
|
ui->update_sp = remote_ui_update_sp;
|
|
ui->flush = remote_ui_flush;
|
|
ui->suspend = remote_ui_suspend;
|
|
ui->set_title = remote_ui_set_title;
|
|
ui->set_icon = remote_ui_set_icon;
|
|
ui->option_set = remote_ui_option_set;
|
|
ui->event = remote_ui_event;
|
|
|
|
memset(ui->ui_ext, 0, sizeof(ui->ui_ext));
|
|
|
|
for (size_t i = 0; i < options.size; i++) {
|
|
ui_set_option(ui, options.items[i].key, options.items[i].value, err);
|
|
if (ERROR_SET(err)) {
|
|
xfree(ui);
|
|
return;
|
|
}
|
|
}
|
|
|
|
UIData *data = xmalloc(sizeof(UIData));
|
|
data->channel_id = channel_id;
|
|
data->buffer = (Array)ARRAY_DICT_INIT;
|
|
ui->data = data;
|
|
|
|
pmap_put(uint64_t)(connected_uis, channel_id, ui);
|
|
ui_attach_impl(ui);
|
|
}
|
|
|
|
/// @deprecated
|
|
void ui_attach(uint64_t channel_id, Integer width, Integer height,
|
|
Boolean enable_rgb, Error *err)
|
|
{
|
|
Dictionary opts = ARRAY_DICT_INIT;
|
|
PUT(opts, "rgb", BOOLEAN_OBJ(enable_rgb));
|
|
nvim_ui_attach(channel_id, width, height, opts, err);
|
|
api_free_dictionary(opts);
|
|
}
|
|
|
|
void nvim_ui_detach(uint64_t channel_id, Error *err)
|
|
FUNC_API_SINCE(1) FUNC_API_REMOTE_ONLY
|
|
{
|
|
if (!pmap_has(uint64_t)(connected_uis, channel_id)) {
|
|
api_set_error(err, kErrorTypeException, "UI is not attached for channel");
|
|
return;
|
|
}
|
|
remote_ui_disconnect(channel_id);
|
|
}
|
|
|
|
|
|
void nvim_ui_try_resize(uint64_t channel_id, Integer width,
|
|
Integer height, Error *err)
|
|
FUNC_API_SINCE(1) FUNC_API_REMOTE_ONLY
|
|
{
|
|
if (!pmap_has(uint64_t)(connected_uis, channel_id)) {
|
|
api_set_error(err, kErrorTypeException, "UI is not attached for channel");
|
|
return;
|
|
}
|
|
|
|
if (width <= 0 || height <= 0) {
|
|
api_set_error(err, kErrorTypeValidation,
|
|
"Expected width > 0 and height > 0");
|
|
return;
|
|
}
|
|
|
|
UI *ui = pmap_get(uint64_t)(connected_uis, channel_id);
|
|
ui->width = (int)width;
|
|
ui->height = (int)height;
|
|
ui_refresh();
|
|
}
|
|
|
|
void nvim_ui_set_option(uint64_t channel_id, String name,
|
|
Object value, Error *error)
|
|
FUNC_API_SINCE(1) FUNC_API_REMOTE_ONLY
|
|
{
|
|
if (!pmap_has(uint64_t)(connected_uis, channel_id)) {
|
|
api_set_error(error, kErrorTypeException, "UI is not attached for channel");
|
|
return;
|
|
}
|
|
UI *ui = pmap_get(uint64_t)(connected_uis, channel_id);
|
|
|
|
ui_set_option(ui, name, value, error);
|
|
if (!ERROR_SET(error)) {
|
|
ui_refresh();
|
|
}
|
|
}
|
|
|
|
static void ui_set_option(UI *ui, String name, Object value, Error *error)
|
|
{
|
|
#define UI_EXT_OPTION(o, e) \
|
|
do { \
|
|
if (strequal(name.data, #o)) { \
|
|
if (value.type != kObjectTypeBoolean) { \
|
|
api_set_error(error, kErrorTypeValidation, #o " must be a Boolean"); \
|
|
return; \
|
|
} \
|
|
ui->ui_ext[(e)] = value.data.boolean; \
|
|
return; \
|
|
} \
|
|
} while (0)
|
|
|
|
if (strequal(name.data, "rgb")) {
|
|
if (value.type != kObjectTypeBoolean) {
|
|
api_set_error(error, kErrorTypeValidation, "rgb must be a Boolean");
|
|
return;
|
|
}
|
|
ui->rgb = value.data.boolean;
|
|
return;
|
|
}
|
|
|
|
UI_EXT_OPTION(ext_cmdline, kUICmdline);
|
|
UI_EXT_OPTION(ext_popupmenu, kUIPopupmenu);
|
|
UI_EXT_OPTION(ext_tabline, kUITabline);
|
|
UI_EXT_OPTION(ext_wildmenu, kUIWildmenu);
|
|
|
|
if (strequal(name.data, "popupmenu_external")) {
|
|
// LEGACY: Deprecated option, use `ui_ext` instead.
|
|
if (value.type != kObjectTypeBoolean) {
|
|
api_set_error(error, kErrorTypeValidation,
|
|
"popupmenu_external must be a Boolean");
|
|
return;
|
|
}
|
|
ui->ui_ext[kUIPopupmenu] = value.data.boolean;
|
|
return;
|
|
}
|
|
|
|
api_set_error(error, kErrorTypeValidation, "No such ui option");
|
|
#undef UI_EXT_OPTION
|
|
}
|
|
|
|
/// Pushes data into UI.UIData, to be consumed later by remote_ui_flush().
|
|
static void push_call(UI *ui, char *name, Array args)
|
|
{
|
|
Array call = ARRAY_DICT_INIT;
|
|
UIData *data = ui->data;
|
|
|
|
// To optimize data transfer(especially for "put"), we bundle adjacent
|
|
// calls to same method together, so only add a new call entry if the last
|
|
// method call is different from "name"
|
|
if (kv_size(data->buffer)) {
|
|
call = kv_A(data->buffer, kv_size(data->buffer) - 1).data.array;
|
|
}
|
|
|
|
if (!kv_size(call) || strcmp(kv_A(call, 0).data.string.data, name)) {
|
|
call = (Array)ARRAY_DICT_INIT;
|
|
ADD(data->buffer, ARRAY_OBJ(call));
|
|
ADD(call, STRING_OBJ(cstr_to_string(name)));
|
|
}
|
|
|
|
ADD(call, ARRAY_OBJ(args));
|
|
kv_A(data->buffer, kv_size(data->buffer) - 1).data.array = call;
|
|
}
|
|
|
|
|
|
static void remote_ui_highlight_set(UI *ui, HlAttrs attrs)
|
|
{
|
|
Array args = ARRAY_DICT_INIT;
|
|
Dictionary hl = hlattrs2dict(attrs);
|
|
|
|
ADD(args, DICTIONARY_OBJ(hl));
|
|
push_call(ui, "highlight_set", args);
|
|
}
|
|
|
|
static void remote_ui_flush(UI *ui)
|
|
{
|
|
UIData *data = ui->data;
|
|
if (data->buffer.size > 0) {
|
|
rpc_send_event(data->channel_id, "redraw", data->buffer);
|
|
data->buffer = (Array)ARRAY_DICT_INIT;
|
|
}
|
|
}
|
|
|
|
static void remote_ui_event(UI *ui, char *name, Array args, bool *args_consumed)
|
|
{
|
|
Array my_args = ARRAY_DICT_INIT;
|
|
// Objects are currently single-reference
|
|
// make a copy, but only if necessary
|
|
if (*args_consumed) {
|
|
for (size_t i = 0; i < args.size; i++) {
|
|
ADD(my_args, copy_object(args.items[i]));
|
|
}
|
|
} else {
|
|
my_args = args;
|
|
*args_consumed = true;
|
|
}
|
|
push_call(ui, name, my_args);
|
|
}
|