Vim crashes when completing arguments to an user defined command in the cmdline window

1 view
Skip to first unread message

Yegappan Lakshmanan

unread,
Jan 18, 2008, 12:46:56 AM1/18/08
to vim...@googlegroups.com
Hi all,

I am observing that Vim crashes when trying to complete the arguments to
an user defined command in the cmdline window. I see this with Vim 7.1.180.

To reproduce this crash, use the following sample code:

-------------------- crash.vim -----------------------------------------
function! s:Myfunc(ArgLead, CmdLine, CursorPos)
return ["apple", "orange", "grapes"]
endfunction

command! -nargs=1 -complete=customlist,s:Myfunc Crashvim :echo '<args>'
-----------------------------------------------------------------------------

After sourcing the above file, open the cmdline window using "q:'.
In the cmdline window, enter the "Crashvim" command and then
try to complete the arguments to the command by pressing <Tab>.
Now Vim crashes with the following traceback:

Program received signal SIGSEGV, Segmentation fault.
0x00072c00 in call_user_expand_func (user_expand_func=0x4b774
<call_func_retlist>, xp=0x1cc924, num_file=0xffbee138,
file=0xffbee134) at ex_getln.c:4669
4669 keep = ccline.cmdbuff[ccline.cmdlen];
(cisco-6.1.0-gdb) bt
#0 0x00072c00 in call_user_expand_func (user_expand_func=0x4b774
<call_func_retlist>, xp=0x1cc924, num_file=0xffbee138,
file=0xffbee134) at ex_getln.c:4669
#1 0x000735d4 in ExpandFromContext (xp=0x1cc924, pat=0x392f70 "^",
num_file=0xffbee138, file=0xffbee134, options=-4267724) at
ex_getln.c:4758
#2 0x00073b3c in expand_cmdline (xp=0x1cc924, str=0x37b310 "Crashvim
", col=3747696, matchcount=0xffbee138, matches=0xffbee134) at
ex_getln.c:4228
#3 0x0002a804 in ins_compl_next (allow_get_expansion=1, count=0,
insert_match=1) at edit.c:4010
#4 0x0002b368 in ins_complete (c=22) at edit.c:4585
#5 0x00030df8 in edit (cmdchar=1912832, startln=1911808, count=1) at
edit.c:1338
#6 0x000e5310 in op_change (oap=0xffbee5f8) at ops.c:2598
#7 0x000dc548 in do_pending_operator (cap=0xffbee548, old_col=0,
gui_yank=0) at normal.c:1909
#8 0x000dd88c in normal_cmd (oap=0xffbee5f8, toplevel=1) at normal.c:1174
#9 0x0009c5c0 in main_loop (cmdwin=1, noexmode=0) at main.c:1181
#10 0x00078e6c in getcmdline (firstc=58, count=1, indent=0) at ex_getln.c:6052
#11 0x00067e84 in do_cmdline (cmdline=0x0, getline=0x79bd0
<getexline>, cookie=0x0, flags=0) at ex_docmd.c:995
#12 0x000d9344 in nv_colon (cap=0xffbeedf8) at normal.c:5175
#13 0x000dd808 in normal_cmd (oap=0xffbeeea8, toplevel=1) at normal.c:1148
#14 0x0009c5c0 in main_loop (cmdwin=0, noexmode=0) at main.c:1181
#15 0x000a0764 in main (argc=1911808, argv=0x1) at main.c:940

Is anyone else able to reproduce this crash?

- Yegappan

Dominique Pelle

unread,
Jan 18, 2008, 4:04:03 AM1/18/08
to vim...@googlegroups.com


Yes, I can also reproduce it with vim 7.1 (Patches 1-230) on
Linux x86 built with 'configure --with-features=huge'. My stack
trace looks similar to yours (only line numbers are slightly different
because I'm using a newer version of vim).

cclin.cmdbuff is a NULL pointer at line 4680 of ex_getln.c:

4661 static void *
4662 call_user_expand_func(user_expand_func, xp, num_file, file)
4663 void *(*user_expand_func) __ARGS((char_u *, int,
char_u **, int>
4664 expand_T *xp;
4665 int *num_file;
4666 char_u ***file;
4667 {
4668 char_u keep;
4669 char_u num[50];
4670 char_u *args[3];
4671 int save_current_SID = current_SID;
4672 void *ret;
4673 struct cmdline_info save_ccline;
4674
4675 if (xp->xp_arg == NULL || xp->xp_arg[0] == '\0')
4676 return NULL;
4677 *num_file = 0;
4678 *file = NULL;
4679
!!4680 keep = ccline.cmdbuff[ccline.cmdlen];
4681 ccline.cmdbuff[ccline.cmdlen] = 0;

I tried to run with valgrind memory checker but it does not show
anything more before dereferencing NULL pointer at line 4680.

-- Dominique

Bram Moolenaar

unread,
Jan 18, 2008, 7:15:57 AM1/18/08
to Yegappan Lakshmanan, vim...@googlegroups.com

Yegappan Lakshmanan wrote:

It appears user defined completion never worked in Insert mode. I'll
make a patch.

--
[The rest of the ARMY stand around looking at a loss.]
INSPECTOR END OF FILM: (picks up megaphone) All right! Clear off! Go on!
"Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD

/// Bram Moolenaar -- Br...@Moolenaar.net -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ download, build and distribute -- http://www.A-A-P.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///

Reply all
Reply to author
Forward
0 new messages