[vim/vim] [vim9] Segmentation fault with higher order function and variable number of args (Issue #11774)
25 views
Skip to first unread message
Lifepillar
Jan 2, 2023, 1:57:39 PM1/2/23
to vim/vim, Subscribed
Steps to reproduce
Source this script:
vim9script def Map(Fn: func(...any): number): number return Fn('12') enddef Map((v) => str2nr(v))
Vim should segfault, somewhere inside need_type_where(). If ... are removed, the code compiles.
Expected behaviour
The code should compile and run without errors. The function should return the value 12 of type number.
Version of Vim
9.0.1133
Environment
macOS 13.1
Apple Terminal
xterm-256color
ZSH 5.8.1
Logs and stack traces
0 libsystem_kernel.dylib 0x19d7b5bfc __kill + 8 1 vim 0x1044d012c may_core_dump + 64 2 vim 0x1044cffd0 mch_exit + 204 3 vim 0x10469ef10 getout + 1008 4 vim 0x104484b08 preserve_exit + 212 5 vim 0x1044d5b64 deathtrap + 596 6 libsystem_platform.dylib 0x19d81b2a4 _sigtramp + 56 7 vim 0x104611d30 need_type_where + 180 8 vim 0x104611d30 need_type_where + 180 9 vim 0x104612034 need_type + 108 10 vim 0x104639058 check_func_args_from_type + 516 11 vim 0x104639174 generate_PCALL + 192 12 vim 0x104633848 compile_call + 2116 13 vim 0x104631820 compile_expr9 + 1632 14 vim 0x104631100 compile_expr8 + 336 15 vim 0x104630cac compile_expr7 + 52 16 vim 0x1046307bc compile_expr6 + 52 17 vim 0x10463030c compile_expr5 + 92 18 vim 0x10462ff78 compile_expr4 + 68 19 vim 0x10462f864 compile_expr3 + 52 20 vim 0x10462f710 compile_expr2 + 52 21 vim 0x10462f020 compile_expr1 + 136 22 vim 0x10462f790 compile_expr0_ext + 60 23 vim 0x10462e660 compile_expr0 + 36 24 vim 0x104610c40 compile_return + 372 25 vim 0x104616808 compile_def_function + 4688 26 vim 0x104622cb0 call_def_function + 516 27 vim 0x1045fc9bc call_user_func + 564 28 vim 0x1045fc704 call_user_func_check + 332 29 vim 0x1045fb070 call_func + 1808 30 vim 0x1045fa81c get_func_tv + 476 31 vim 0x1043a75bc eval_func + 396 32 vim 0x1043a6e54 eval9 + 2160 33 vim 0x1043a91bc eval8 + 512 34 vim 0x1043a8b34 eval7 + 52 35 vim 0x1043a8280 eval6 + 64 36 vim 0x1043a7edc eval5 + 40 37 vim 0x1043a7af8 eval4 + 68 38 vim 0x1043a7690 eval3 + 44 39 vim 0x10439f5a0 eval2 + 44 40 vim 0x1043997d4 eval1 + 64 41 vim 0x10439f2c0 eval0_retarg + 168 42 vim 0x104398df0 eval0 + 52 43 vim 0x1043efcfc ex_eval + 140 44 vim 0x1043dcfa4 do_one_cmd + 6948 45 vim 0x1043da388 do_cmdline + 2736 46 vim 0x1045537e0 do_source_ext + 2904 47 vim 0x104552c7c do_source + 56 48 vim 0x104552b14 cmd_source + 496 49 vim 0x104552918 ex_source + 32 50 vim 0x1043dcfa4 do_one_cmd + 6948 51 vim 0x1043da388 do_cmdline + 2736 52 vim 0x1044a2414 nv_colon + 420 53 vim 0x10449a530 normal_cmd + 2564 54 vim 0x10469fa48 main_loop + 2408 55 vim 0x10469e110 vim_main2 + 2648 56 vim 0x10469b3d8 main + 1416
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
Bram Moolenaar
Jan 3, 2023, 7:34:17 AM1/3/23
to vim/vim, Subscribed
Closed #11774 as completed via 36818a9.
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
Lifepillar
Jan 3, 2023, 5:54:24 PM1/3/23
to vim/vim, Subscribed
Thanks for fixing this so quickly! I can trigger another segfault in Vim 9.0.1140, less deterministically but reproduceably, by sourcing a script like this:
vim9script def Map(...Fn: func(...any): number): number
return Fn('12') enddef Map((v) => str2nr(v))
(which raises E1180) then removing the ... and sourcing the script again (which succeeds), the re-adding the ... and sourcing the script again, then removing the dots again… and repeating this a few times. I've got a few different stack traces:
0 libsystem_kernel.dylib 0x19d7b5bfc __kill + 8
1 vim 0x100687854 may_core_dump + 64
2 vim 0x1006876f8 mch_exit + 204
3 vim 0x100856ed0 getout + 1008
4 vim 0x10063c230 preserve_exit + 212
5 vim 0x10068d28c deathtrap + 596
6 libsystem_platform.dylib 0x19d81b2a4 _sigtramp + 56
7 libsystem_pthread.dylib 0x19d7eccec pthread_kill + 288
8 libsystem_c.dylib 0x19d7262c8 abort + 180
9 libsystem_malloc.dylib 0x19d644b1c malloc_vreport + 908
10 libsystem_malloc.dylib 0x19d648330 malloc_report + 64
11 libsystem_malloc.dylib 0x19d654e60 find_zone_and_free + 308
12 vim 0x1004e7da0 vim_free + 56
13 vim 0x1007bafd4 func_clear_items + 180
14 vim 0x1007b8cac define_function + 5580
15 vim 0x1007bb1a0 ex_function + 56
16 vim 0x1005946cc do_one_cmd + 6948
17 vim 0x100591ab0 do_cmdline + 2736
18 vim 0x10070af08 do_source_ext + 2904
19 vim 0x10070a3a4 do_source + 56
20 vim 0x10070a23c cmd_source + 496
21 vim 0x10070a040 ex_source + 32
22 vim 0x1005946cc do_one_cmd + 6948
23 vim 0x100591ab0 do_cmdline + 2736
24 vim 0x100659b3c nv_colon + 420
25 vim 0x100651c58 normal_cmd + 2564
26 vim 0x100857a08 main_loop + 2408
27 vim 0x1008560d0 vim_main2 + 2648
28 vim 0x100853398 main + 1416
29 dyld 0x19d4c3e50 start + 2544
0 libsystem_kernel.dylib 0x19d7b5bfc __kill + 8
1 vim 0x105103854 may_core_dump + 64
2 vim 0x1051036f8 mch_exit + 204
3 vim 0x1052d2ed0 getout + 1008
4 vim 0x1050b8230 preserve_exit + 212
5 vim 0x10510928c deathtrap + 596
6 libsystem_platform.dylib 0x19d81b2a4 _sigtramp + 56
7 libsystem_pthread.dylib 0x19d7eccec pthread_kill + 288
8 libsystem_c.dylib 0x19d7262c8 abort + 180
9 libsystem_malloc.dylib 0x19d644b1c malloc_vreport + 908
10 libsystem_malloc.dylib 0x19d648330 malloc_report + 64
11 libsystem_malloc.dylib 0x19d654e60 find_zone_and_free + 308
12 vim 0x104f63da0 vim_free + 56
13 vim 0x105174d00 free_yank + 92
14 vim 0x105170f44 free_yank_all + 24
15 vim 0x105174f1c op_yank + 456
16 vim 0x1050dfb80 op_delete + 1108
17 vim 0x1050e8208 do_pending_operator + 5892
18 vim 0x1050cdd1c normal_cmd + 2760
19 vim 0x1052d3a08 main_loop + 2408
20 vim 0x1052d20d0 vim_main2 + 2648
21 vim 0x1052cf398 main + 1416
22 dyld 0x19d4c3e50 start + 2544
0 libsystem_kernel.dylib 0x19d7b5bfc __kill + 8
1 vim 0x10317b854 may_core_dump + 64
2 vim 0x10317b6f8 mch_exit + 204
3 vim 0x10334aed0 getout + 1008
4 vim 0x103130230 preserve_exit + 212
5 vim 0x10318128c deathtrap + 596
6 libsystem_platform.dylib 0x19d81b2a4 _sigtramp + 56
7 libsystem_pthread.dylib 0x19d7eccec pthread_kill + 288
8 libsystem_c.dylib 0x19d7262c8 abort + 180
9 libsystem_malloc.dylib 0x19d644b1c malloc_vreport + 908
10 libsystem_malloc.dylib 0x19d648330 malloc_report + 64
11 libsystem_malloc.dylib 0x19d654e60 find_zone_and_free + 308
12 vim 0x102fdbda0 vim_free + 56
13 vim 0x103085b50 do_cmdline + 2896
14 vim 0x10314db3c nv_colon + 420
15 vim 0x103145c58 normal_cmd + 2564
16 vim 0x10334ba08 main_loop + 2408
17 vim 0x10334a0d0 vim_main2 + 2648
18 vim 0x103347398 main + 1416
19 dyld 0x19d4c3e50 start + 2544
0 libsystem_kernel.dylib 0x19d7b5bfc __kill + 8
1 vim 0x100a5f854 may_core_dump + 64
2 vim 0x100a5f6f8 mch_exit + 204
3 vim 0x100c2eed0 getout + 1008
4 vim 0x100a14230 preserve_exit + 212
5 vim 0x100a6528c deathtrap + 596
6 libsystem_platform.dylib 0x19d81b2a4 _sigtramp + 56
7 vim 0x100b824bc serialize_uep + 160
8 vim 0x100b7d60c serialize_uhp + 472
9 vim 0x100b7cab4 u_write_undo + 1252
10 vim 0x100bee5f4 buf_write + 14572
11 vim 0x10095fda0 do_write + 1408
12 vim 0x10095f810 ex_update + 36
13 vim 0x10096c6cc do_one_cmd + 6948
14 vim 0x100969ab0 do_cmdline + 2736
15 vim 0x1009b3c24 do_cmdkey_command + 304
16 vim 0x100a31b1c nv_colon + 388
17 vim 0x100a29c58 normal_cmd + 2564
18 vim 0x100c2fa08 main_loop + 2408
19 vim 0x100c2e0d0 vim_main2 + 2648
20 vim 0x100c2b398 main + 1416
21 dyld 0x19d4c3e50 start + 2544
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
Bram Moolenaar
Jan 4, 2023, 8:17:29 AM1/4/23
to vim/vim, Subscribed
> Thanks for fixing this so quickly! I can trigger another segfault in
> Vim 9.0.1140, less deterministically but reproduceably, by sourcing a
> script like this:
>
> vim9script
>
> def Map(...Fn: func(...any): number): number
> return Fn('12')
> enddef
>
> Map((v) => str2nr(v))
>
> (which raises E1180) then removing the `...` and sourcing the script
> again (which succeeds), the re-adding the `...` and sourcing the
> script again, then removing the dots again… and repeating this a few
> times. I've got a few different stack traces:
It's a bit difficult to reproduce this way. Not sure if it can be
turned into a test.
I can fix the crash, but then I keep a couple of memory leaks. It
appears that when parsing the arguments fails not everything is cleaned
up. I'll give it a try.
--
System administrators are just like women: You can't live with them and you
can't live without them.
/// Bram Moolenaar -- ***@***.*** -- http://www.Moolenaar.net \\\
/// \\\
\\\ sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
Lifepillar
Jan 4, 2023, 10:13:05 AM1/4/23
to vim/vim, Subscribed
Which "..." are you referring to? I assume it's in the "...Fn".
Yes, that's correct. Sorry for the inaccurate explanation.
I cannot reproduce it with Vim 9.0.1142. So, the last commit seems to have fixed it!
—
Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.
Reply all
Reply to author
Forward
0 new messages