Segfault in bufhl_clear_line

[TyOverby]

• nvim --version:

NVIM v0.4.2
Build type: RelWithDebInfo
LuaJIT 2.0.4
Compilation: /usr/lib64/ccache/cc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches  -m64 -mtu
ne=generic -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=1 -O2 -g -DMIN_LOG_LEVEL=3 -Og -g -Wall -Wextra -pedantic -Wno-unused-parameter -Wstrict-prototypes -std=gnu99 -Wshado
w -Wconversion -Wmissing-prototypes -Wvla -fstack-protector-strong -fdiagnostics-color=auto -DINCLUDE_GENERATED_DECLARATIONS -D_GNU_SOURCE -DNVIM_MSGPACK_HAS_FLOAT32 -DNVIM_
UNIBI_HAS_VAR_FROM -I/usr/local/home/msmith/rpmbuild/BUILD/neovim-0.4.2/build/config -I/usr/local/home/msmith/rpmbuild/BUILD/neovim-0.4.2/src -I/usr/include -I/usr/include/l
ua-5.1 -I/usr/local/home/msmith/rpmbuild/BUILD/neovim-0.4.2/build/src/nvim/auto -I/usr/local/home/msmith/rpmbuild/BUILD/neovim-0.4.2/build/include

Features: +acl +iconv +tui

• vim -u DEFAULTS (version: ): The segfault is very rare, I don't know how to reproduce it

Very rarely, when I save a file, neovim segfaults. I finally managed to get a segfault with gdb attached, and captured the following backtrace:

 #0  0x000000000045abdd in bufhl_clear_line ()
 #1  0x0000000000462837 in bufhl_clear_line_range ()
 #2  0x000000000043fab8 in nvim_buf_clear_namespace ()
 #3  0x0000000000442689 in handle_nvim_buf_clear_namespace ()
 #4  0x000000000049a9ec in api_wrapper ()
 #5  0x00000000004a4004 in call_func ()
 #6  0x00000000004a76e7 in get_func_tv ()
 #7  0x00000000004acd2d in ex_call ()
 #8  0x00000000004e1800 in do_one_cmd ()
 #9  0x00000000004e21d6 in do_cmdline ()
 #10 0x00000000004a3901 in call_user_func ()
 #11 0x00000000004a3fa8 in call_func ()
 #12 0x00000000004a76e7 in get_func_tv ()
 #13 0x00000000004acd2d in ex_call ()
 #14 0x00000000004e1800 in do_one_cmd ()
 #15 0x00000000004e21d6 in do_cmdline ()
 #16 0x00000000004a3901 in call_user_func ()
 #17 0x00000000004a3fa8 in call_func ()
 #18 0x00000000004a76e7 in get_func_tv ()
 #19 0x00000000004acd2d in ex_call ()
 #20 0x00000000004e1800 in do_one_cmd ()
 #21 0x00000000004e21d6 in do_cmdline ()
 #22 0x00000000004a3901 in call_user_func ()
 #23 0x00000000004a3fa8 in call_func ()
 #24 0x00000000004a76e7 in get_func_tv ()
 #25 0x00000000004acd2d in ex_call ()
 #26 0x00000000004e1800 in do_one_cmd ()
 #27 0x00000000004e21d6 in do_cmdline ()
 #28 0x00000000004f7e10 in apply_autocmds_group ()
 #29 0x00000000004f8498 in apply_autocmds ()
 #30 0x0000000000622f95 in win_enter_ext ()
 #31 0x0000000000623935 in win_enter ()
 #32 0x0000000000623baa in win_goto ()
 #33 0x0000000000623c60 in win_goto_hor ()
 #34 0x00000000006262bf in do_window ()
 #35 0x000000000054ebde in nv_window ()
 #36 0x0000000000557a0a in normal_execute ()
 #37 0x00000000005e3966 in state_enter ()
 #38 0x0000000000550271 in normal_enter ()
 #39 0x0000000000526be5 in main ()

With the disassembly:

    0x000000000045abb9 <+0>:     push   %rbx
    0x000000000045abba <+1>:     mov    %rdi,%rbx
    0x000000000045abbd <+4>:     mov    0x8(%rdi),%r10
    0x000000000045abc1 <+8>:     test   %esi,%esi
    0x000000000045abc3 <+10>:    jns    0x45ac07 <bufhl_clear_line+78>
    0x000000000045abc5 <+12>:    movq   $0x0,0x8(%rdi)
    0x000000000045abcd <+20>:    jmp    0x45ac1b <bufhl_clear_line+98>
    0x000000000045abcf <+22>:    mov    0x18(%rbx),%r8
    0x000000000045abd3 <+26>:    mov    %rcx,%rax
    0x000000000045abd6 <+29>:    shl    $0x4,%rax
    0x000000000045abda <+33>:    add    %r8,%rax
 => 0x000000000045abdd <+36>:    cmp    %esi,(%rax)
    0x000000000045abdf <+38>:    je     0x45ac01 <bufhl_clear_line+72>
    0x000000000045abe1 <+40>:    cmp    %rdi,%rcx
    0x000000000045abe4 <+43>:    je     0x45abfd <bufhl_clear_line+68>
    0x000000000045abe6 <+45>:    mov    %rdi,%r9
    0x000000000045abe9 <+48>:    shl    $0x4,%r9
    0x000000000045abed <+52>:    mov    0x8(%rax),%rdx
    0x000000000045abf1 <+56>:    mov    (%rax),%rax
    0x000000000045abf4 <+59>:    mov    %rax,(%r8,%r9,1)
    0x000000000045abf8 <+63>:    mov    %rdx,0x8(%r8,%r9,1)
    0x000000000045abfd <+68>:    add    $0x1,%rdi
    0x000000000045ac01 <+72>:    add    $0x1,%rcx
    0x000000000045ac05 <+76>:    jmp    0x45ac11 <bufhl_clear_line+88>
    0x000000000045ac07 <+78>:    mov    $0x0,%ecx
    0x000000000045ac0c <+83>:    mov    $0x0,%edi
    0x000000000045ac11 <+88>:    cmp    %rcx,0x8(%rbx)
    0x000000000045ac15 <+92>:    ja     0x45abcf <bufhl_clear_line+22>
    0x000000000045ac17 <+94>:    mov    %rdi,0x8(%rbx)
    0x000000000045ac1b <+98>:    cmp    %r10,0x8(%rbx)
    0x000000000045ac1f <+102>:   jne    0x45ac28 <bufhl_clear_line+111>
    0x000000000045ac21 <+104>:   mov    $0x0,%eax
    0x000000000045ac26 <+109>:   jmp    0x45ac2d <bufhl_clear_line+116>
    0x000000000045ac28 <+111>:   mov    $0x1,%eax
    0x000000000045ac2d <+116>:   cmpq   $0x0,0x28(%rbx)
    0x000000000045ac32 <+121>:   je     0x45ac52 <bufhl_clear_line+153>
    0x000000000045ac34 <+123>:   test   %esi,%esi
    0x000000000045ac36 <+125>:   js     0x45ac3d <bufhl_clear_line+132>
    0x000000000045ac38 <+127>:   cmp    %esi,0x20(%rbx)
    0x000000000045ac3b <+130>:   jne    0x45ac52 <bufhl_clear_line+153>
    0x000000000045ac3d <+132>:   lea    0x28(%rbx),%rdi
    0x000000000045ac41 <+136>:   callq  0x45ab64 <bufhl_clear_virttext>
    0x000000000045ac46 <+141>:   movl   $0x0,0x20(%rbx)

[justinmk]

Thanks for the report. Can you try the development version?

• The Releases page has pre-built archives for Linux/Windows/macOS.
• Check :version to confirm that you are using the latest version.