[patch] SEGV when autocmd BufUnload with bwipe

40 views
Skip to first unread message

h_east

unread,
Sep 4, 2016, 8:33:17 AM9/4/16
to vim_dev
Hi Bram and developers,

I checked in 7.4.2321

==== Case 1 ====
How to reproduce:
- Create the following file:
$ cat sample1.vim
edit a.txt
augroup sample
autocmd!
autocmd BufUnload <buffer> tabfirst | 2bwipeout!
augroup END
edit b.txt

- Run vanilla Vim with above script file
$ vim -Nu NONE -S sample1.vim

Expected behavior:
SEGV does not occur.

Actual behavior:
SEGVed.

==== Case 2 ====
How to reproduce:
- Create the following file:
$ cat sample2.vim
setlocal buftype=nowrite
augroup sample
autocmd!
autocmd BufUnload <buffer> tabfirst | 2bwipeout
augroup END
normal! i1
edit a.txt
call feedkeys("\<CR>")

- Run vanilla Vim with above script file
$ vim -Nu NONE -S sample2.vim

Expected behavior:
SEGV does not occur.

Actual behavior:
SEGVed.


I know there are rare case and salicious scripts.
But, It is not good to SEGV.

I wrote a patch. --> `fix_autocmd_bufunload_with_bwipe.patch`
check it out.
I've also written test. --> `autocmd_bufunload_with_bwipe_test.patch`
Unfortunately, it did not SEGV in the pre-patch binary :-/

NOTE: This issue was reported by Norio Takagi. (Thanks!)

--
Best regards,
Hirohito Higashi (a.k.a. h_east)

fix_autocmd_bufunload_with_bwipe.patch
autocmd_bufunload_with_bwipe_test.patch

h_east

unread,
Sep 4, 2016, 12:45:33 PM9/4/16
to vim_dev
Hi Bram,

2016-9-4(Sun) 21:33:17 UTC+9 h_east:

My patch also fixed the following case.

==== Case 3 ====


How to reproduce:
- Create the following file:

$ cat sample3.vim
tabedit
augroup sample
autocmd!
autocmd BufWinLeave <buffer> tabfirst
augroup END
:%!ls
edit! a.txt
normal! gt
:%!ls
call feedkeys("\<CR>q::q\<CR>")


- Run vanilla Vim with above script file

$ vim -Nu NONE -S sample3.vim

Expected behavior:
SEGV does not occur.

Actual behavior:
SEGVed.


Thanks.

Bram Moolenaar

unread,
Sep 4, 2016, 1:51:21 PM9/4/16
to h_east, vim_dev
I think we need a more drastic solution. Autocommands wiping out a
buffer that we rely on should not happen. We already had the b_closing
flag, let's turn that into a b_locked flag.

> I've also written test. --> `autocmd_bufunload_with_bwipe_test.patch`
> Unfortunately, it did not SEGV in the pre-patch binary :-/

That's because it deletes buffer 2, but in the test the buffer number
will be higher. I managed to get the crash using bufnr('$') + 1.

> NOTE: This issue was reported by Norio Takagi. (Thanks!)

--
You're as much use as a condom machine at the Vatican.
-- Rimmer to Holly in Red Dwarf 'Queeg'

/// Bram Moolenaar -- Br...@Moolenaar.net -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///

Bram Moolenaar

unread,
Sep 4, 2016, 3:33:31 PM9/4/16
to h_east, vim_dev
That can be simplified to:

tabedit
augroup sample
autocmd!
autocmd BufWinLeave <buffer> tabfirst
augroup END
call setline(1, ['a', 'b', 'c'])
edit! a.txt

It still crashes. Need to check the window changed also for
BufWinLeave.

--
"Hit any key to continue" is very confusing when you have two keyboards.
Reply all
Reply to author
Forward
0 new messages