Text undo crash in memmove() from ImGuiStb::stb_textedit_discard_redo

[unpacklo]

Hi Omar!

Sorry about the lack of details on this report, I'm very busy this week!

We encountered a crash in our game when undoing a bunch of text edits. Initially encountered it on Windows, but also repro'd on Linux.

Repro steps:

1. Multiline text edit widget, enter some text and copy/paste it many times.
2. Spam undo many times.

Crash on step 2.

Here's the Linux trace:

Program received signal SIGSEGV, Segmentation fault.
__memmove_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:1656
1656    ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S: No such file or directory.
(gdb) bt
#0  __memmove_ssse3_back () at ../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:1656
#1  0x0000000000425b6e in ImGuiStb::stb_textedit_discard_redo (state=0x689ba8 <GImDefaultContext+6984>) at ../../stb_textedit.h:1098
#2  0x0000000000425f12 in ImGuiStb::stb_text_undo (str=0x689b48 <GImDefaultContext+6888>, state=0x689b90 <GImDefaultContext+6960>) at ../../stb_textedit.h:1188
#3  0x0000000000424bd5 in ImGuiStb::stb_textedit_key (str=0x689b48 <GImDefaultContext+6888>, state=0x689b90 <GImDefaultContext+6960>, key=65546) at ../../stb_textedit.h:735
#4  0x000000000042651d in ImGuiTextEditState::OnKeyPressed (this=0x689b48 <GImDefaultContext+6888>, key=65546) at ../../imgui.cpp:7446
#5  0x0000000000427e12 in ImGui::InputTextEx (label=0x46a5aa "##source", buf=0x683d00 <ImGui::ShowTestWindow(bool*)::text> "", buf_size=16384, size_arg=..., flags=1049600, callback=0x0, user_data=0x0) at ../../imgui.cpp:7782
#6  0x000000000042994f in ImGui::InputTextMultiline (label=0x46a5aa "##source", buf=0x683d00 <ImGui::ShowTestWindow(bool*)::text> "", buf_size=16384, size=..., flags=1024, callback=0x0, user_data=0x0) at ../../imgui.cpp:8119
#7  0x0000000000437a33 in ImGui::ShowTestWindow (p_open=0x7fffffffde6f) at ../../imgui_demo.cpp:504
#8  0x0000000000405c4a in main () at main.cpp:134
(gdb) frame 1
#1  0x0000000000425b6e in ImGuiStb::stb_textedit_discard_redo (state=0x689ba8 <GImDefaultContext+6984>) at ../../stb_textedit.h:1098
1098             STB_TEXTEDIT_memmove(state->undo_char + state->redo_char_point, state->undo_char + state->redo_char_point-n, (size_t) ((size_t)(STB_TEXTEDIT_UNDOSTATECOUNT - state->redo_char_point)*sizeof(STB_TEXTEDIT_CHARTYPE)));
(gdb) info registers
rax            0x68a81a 6858778
rbx            0x400    1024
rcx            0xa0000  655360
rdx            0xffffffffffff89f6   -30218
rsi            0x683056 6828118
rdi            0x683310 6828816
rbp            0x7fffffffcb80   0x7fffffffcb80
rsp            0x7fffffffcb60   0x7fffffffcb60
r8             0x68a102 6856962
r9             0x2ba    698
r10            0x0  0
r11            0x7ffff3db7390   140737284633488
r12            0x405520 4216096
r13            0x7fffffffe090   140737488347280
r14            0x0  0
r15            0x0  0
rip            0x425b6e 0x425b6e <ImGuiStb::stb_textedit_discard_redo(ImGuiStb::StbUndoState*)+268>
eflags         0x10286  [ PF SF IF RF ]
cs             0x33 51
ss             0x2b 43
ds             0x0  0
es             0x0  0
fs             0x0  0
gs             0x0  0

We are on dear imgui 1.48 release in our game, but I have also repro'd on master 254a1a9 using the OpenGL 2 example.

-Dale Kim

[MINIONBOTS]

I don't want to highjack this issue, but I get weird exceptions as well, since I updated with all the commits from the last 2 months (havent had time to update before, but back then all was fine ).

But the problem is definitly string related. I had to disable the console, else it would randomly crash on opening the console or just later on. I tried to go deeper to find the cause, but it returns from that function fine a few times, then randomly crashes a bit later on. So I would guess something corrupts stack or memory around the stringshandling in
ImGui::Selectable(item);

[MINIONBOTS]

Reverted back my copy to the commit on 8th Feb. No crashes anymore.

[ocornut]

Thanks for the details and sorry for the delay. Will look into it!

[ocornut]

I am fixing Dale's bug now. Thanks.

@MINIONBOTS however I don't know what your issue it and it may be completely unrelated. How do I repro? Please confirm that it crashes in the demo code or provide an explanation/repro of the code or steps to use to see it. It probably needs a new issue as well. Thanks!

[unpacklo]

Oh man, such an innocuous line, and yet so wrong... how did this work at all?

Hopefully STB knows about this?

-Dale Kim

[ocornut]

Yeah it was surprising!

I posted it on twitter and github now
https://twitter.com/ocornut/status/739088473840312325
nothings/stb#321