[vim/vim] Vim9: crash when using ":pedit" while 'previewpopup' is set (Issue #9134)

[lacygoill]

Steps to reproduce

Run this shell command:

vim -Nu NONE +'set previewpopup=height:10,width:60' +'vim9 pedit file'

Vim crashes.

Expected behavior

Vim doesn't crash.

Operating system

Ubuntu 20.04.3 LTS

Version of Vim

8.2 Included patches: 1-3595

Logs and stack traces

• backtrace
• asan log

According to asan, there is a runtime error on line 735 in src/typval.c:

typval.c:735:18: runtime error: member access within null pointer of type 'struct typval_T'

More precisely, on v_type:

if (args[idx].v_type != VAR_STRING
              ^----^

---

The issue is specific to Vim9:

vim -Nu NONE +'set previewpopup=height:10,width:60' +'vim9 pedit file'
                                                      ^--^

No crash if :pedit is run from the legacy context:

vim -Nu NONE +'set previewpopup=height:10,width:60' +'legacy pedit file'
                                                      ^----^

---

Regression introduced in patch 8.2.3229.

cc @yegappan via #8646

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub.
Triage notifications on the go with GitHub Mobile for iOS or Android.

[lacygoill]

Also a valgrind log.

[Yegappan Lakshmanan]

Hi,

Thanks for reporting the issue. The below patch will fix this issue:

diff --git a/src/popupwin.c b/src/popupwin.c
index d86c6c0ef..59bdf86b8 100644
--- a/src/popupwin.c
+++ b/src/popupwin.c
@@ -1851,13 +1851,13 @@ popup_create(typval_T *argvars, typval_T *rettv, create_
type_T type)
     int                nr;
     int                i;
 
-    if (in_vim9script()
-           && (check_for_string_or_number_or_list_arg(argvars, 0) == FAIL
-               || check_for_dict_arg(argvars, 1) == FAIL))
-       return NULL;
-
     if (argvars != NULL)
     {
+       if (in_vim9script()
+               && (check_for_string_or_number_or_list_arg(argvars, 0) == FAIL
+                   || check_for_dict_arg(argvars, 1) == FAIL))
+           return NULL;
+
        // Check that arguments look OK.
        if (argvars[0].v_type == VAR_NUMBER)
        {

Regards,

Yegappan

 

[vim-dev ML]

Hi,

On Sun, Nov 14, 2021 at 2:57 PM lacygoill ***@***.***> wrote:

> *Steps to reproduce*

>
> Run this shell command:
>
> vim -Nu NONE +'set previewpopup=height:10,width:60' +'vim9 pedit file'
>
> Vim crashes.
>

> *Expected behavior*
>
> Vim doesn't crash.
>
> *Operating system*
>
> Ubuntu 20.04.3 LTS
>
> *Version of Vim*
>
> 8.2 Included patches: 1-3595
>
> *Logs and stack traces*
>
> - backtrace <https://github.com/vim/vim/files/7534861/backtrace.txt>
> - asan log <https://github.com/vim/vim/files/7534860/asan.log>

>
> According to asan, there is a runtime error on line 735 in src/typval.c:
>
> typval.c:735:18: runtime error: member access within null pointer of type 'struct typval_T'
>
> More precisely, on v_type:
>
> if (args[idx].v_type != VAR_STRING
> ^----^
>

> ------------------------------

>
> The issue is specific to Vim9:
>
> vim -Nu NONE +'set previewpopup=height:10,width:60' +'vim9 pedit file'
> ^--^
>
> No crash if :pedit is run from the legacy context:
>
> vim -Nu NONE +'set previewpopup=height:10,width:60' +'legacy pedit file'
> ^----^
>

> ------------------------------
>
> Regression introduced in patch 8.2.3229
> <https://github.com/vim/vim/releases/tag/v8.2.3229>.
>
> cc @yegappan <https://github.com/yegappan> via #8646
> <https://github.com/vim/vim/pull/8646>

[lacygoill]

I can confirm that this patch fixes the issue:

diff --git a/src/popupwin.c b/src/popupwin.c
index d86c6c0ef..2c9e0f55d 100644
--- a/src/popupwin.c
+++ b/src/popupwin.c
@@ -1851,13 +1851,13 @@ popup_create(typval_T *argvars, typval_T *rettv, create_type_T type)
     int		nr;
     int		i;
 

-    if (in_vim9script()
-	    && (check_for_string_or_number_or_list_arg(argvars, 0) == FAIL
-		|| check_for_dict_arg(argvars, 1) == FAIL))
-	return NULL;
-
     if (argvars != NULL)
     {
+	if (in_vim9script()
+	    && (check_for_string_or_number_or_list_arg(argvars, 0) == FAIL
+	    || check_for_dict_arg(argvars, 1) == FAIL))
+	return NULL;
+
 	// Check that arguments look OK.
 	if (argvars[0].v_type == VAR_NUMBER)
 	{

Thank you very much for the quick fix.

—
You are receiving this because you commented.

[lacygoill]

Unrelated, but I have noticed that the wiki page dedicated to debugging Vim contains a TODO item:

Creating a GDB stack trace

(to be documented)

As a suggestion, I would write something like this:

$ gdb -q --args /path/to/vim/binary -Nu NONE -S /tmp/crash.vim
(gdb) set logging on
# start Vim so that it crashes
(gdb) run
# Print the backtrace.
# If it's too long, it will be printed in a pager.
# If so, press Enter repeatedly to scroll until you reach the bottom of the pager.
(gdb) bt full
(gdb) quit
# the backtrace should be in gdb.txt

—
You are receiving this because you commented.

[Bram Moolenaar]

Closed #9134 via 733b124.

—
You are receiving this because you commented.

[lacygoill]

As a suggestion, I would write something like this:

I forgot the commands to compile with the debugging symbols:

$ make clean
$ make distclean
$ sed -i 's/#ABORT_CFLAGS = -DABORT_ON_INTERNAL_ERROR/ABORT_CFLAGS = -DABORT_ON_INTERNAL_ERROR/ ; s/#CFLAGS = -g$/CFLAGS = -g -O0/ ; s@#STRIP = /bin/true@STRIP = /bin/true@' src/Makefile
$ make
$ gdb -q --args /path/to/vim/binary -Nu NONE -S /tmp/crash.vim
(gdb) set logging on
# start Vim so that it crashes
(gdb) run
# Print the backtrace.
# If it's too long, it will be printed in a pager.
# If so, press Enter repeatedly to scroll until you reach the bottom of the pager.
(gdb) bt full
(gdb) quit
# the backtrace should be in gdb.txt

—
You are receiving this because you commented.

[K.Takata]

Thank you. Updated.

—
You are receiving this because you commented.