Segfault for buffer command executed with command-line window open

[lervag]

Steps to reproduce

Given this very minimal vimrc file:

" test.vim
command! -buffer Test edit Test

loaded with vim -u test.vim. Now:

1. Do q: to open command-line window.
2. Do :Test<cr> (note the initial :!).
3. Observe a segfault.

Expected behaviour

The command uses an edit, which is not allowed when we run commands on top of command-line window. If we remove -buffer we observe the expected behaviour, which is to issue the following error:

E11: Invalid in command-line window; :q<CR> closes the window: edit Test

Version of Vim

9.0.1302

Environment

OS: Arch Linux
Terminal: rxvt-unicode (urxvt) v9.31
Value of $TERM: rxvt-256color
Shell: zsh 5.9

Logs and stack traces

The core dump contains this:


           PID: 98598 (vim)
           UID: 1000 (lervag)
           GID: 1000 (lervag)
        Signal: 11 (SEGV)
     Timestamp: Mon 2023-02-20 10:40:00 CET (20s ago)
  Command Line: vim -u test.vim
    Executable: /usr/bin/vim
 Control Group: /user.slice/user-1000.slice/session-1.scope
          Unit: session-1.scope
         Slice: user-1000.slice
       Session: 1
     Owner UID: 1000 (lervag)
       Boot ID: 428a18ace1a04613af88479b8c61ab53
    Machine ID: 65b46b3ca28847adb3f86fa61376007b
      Hostname: lotti
       Storage: /var/lib/systemd/coredump/core.vim.1000.428a18ace1a04613af88479b8c61ab53.98598.1676886000000000.zst (present)
  Size on Disk: 719.5K
       Message: Process 98598 (vim) of user 1000 dumped core.
                
                Stack trace of thread 98598:
                #0  0x000014a9ea65218b kill (libc.so.6 + 0x3918b)
                #1  0x00005615fee95bcf mch_exit (vim + 0x226bcf)
                #2  0x00005615ff04e73b getout (vim + 0x3df73b)
                #3  0x000014a9ea651f50 n/a (libc.so.6 + 0x38f50)
                #4  0x00005615fef91cba do_ucmd (vim + 0x322cba)
                #5  0x00005615fedc2cc2 do_cmdline (vim + 0x153cc2)
                #6  0x00005615fee6f15b n/a (vim + 0x20015b)
                #7  0x00005615fee6b3f2 normal_cmd (vim + 0x1fc3f2)
                #8  0x00005615ff04db23 main_loop (vim + 0x3deb23)
                #9  0x00005615fedd6869 n/a (vim + 0x167869)
                #10 0x00005615fedd9e6a n/a (vim + 0x16ae6a)
                #11 0x00005615fedc0356 do_cmdline (vim + 0x151356)
                #12 0x00005615fee6f15b n/a (vim + 0x20015b)
                #13 0x00005615fee6b3f2 normal_cmd (vim + 0x1fc3f2)
                #14 0x00005615ff04db23 main_loop (vim + 0x3deb23)
                #15 0x00005615ff04f76e vim_main2 (vim + 0x3e076e)
                #16 0x000014a9ea63c790 n/a (libc.so.6 + 0x23790)
                #17 0x000014a9ea63c84a __libc_start_main (libc.so.6 + 0x2384a)
                #18 0x00005615fed1f615 _start (vim + 0xb0615)
                
                Stack trace of thread 98599:
                #0  0x000014a9ea652c0a __sigtimedwait (libc.so.6 + 0x39c0a)
                #1  0x000014a9ea6aa3fb n/a (libc.so.6 + 0x913fb)
                #2  0x000014a9ea69ebb5 n/a (libc.so.6 + 0x85bb5)
                #3  0x000014a9ea720d90 n/a (libc.so.6 + 0x107d90)
                ELF object binary architecture: AMD x86-64

[lervag]

@zeertzjq suggests a solution here:

diff --git a/src/nvim/usercmd.c b/src/nvim/usercmd.c
index 3a5a4c3e9..6869f7eaf 100644
--- a/src/nvim/usercmd.c
+++ b/src/nvim/usercmd.c
@@ -1625,7 +1625,7 @@ int do_ucmd(exarg_T *eap, bool preview)
   if (eap->cmdidx == CMD_USER) {
     cmd = USER_CMD(eap->useridx);
   } else {
-    cmd = USER_CMD_GA(&curbuf->b_ucmds, eap->useridx);
+    cmd = USER_CMD_GA(&prevwin_curwin()->w_buffer->b_ucmds, eap->useridx);
   }
 
   if (preview) {

[zeertzjq]

This fixes the crash:

diff --git a/src/usercmd.c b/src/usercmd.c
index 44fa578f6..7d844620b 100644
--- a/src/usercmd.c
+++ b/src/usercmd.c
@@ -1838,7 +1838,7 @@ do_ucmd(exarg_T *eap)
     if (eap->cmdidx == CMD_USER)
 	cmd = USER_CMD(eap->useridx);
     else
-	cmd = USER_CMD_GA(&curbuf->b_ucmds, eap->useridx);
+	cmd = USER_CMD_GA(&prevwin_curwin()->w_buffer->b_ucmds, eap->useridx);
 
     /*
      * Replace <> in the command by the arguments.

Should this change also be applied to the three other occurrences of curbuf->b_ucmds (:command -buffer, :comclear, :delcommand) though?

[zeertzjq]

I've created PR #12030 to fix this.

[brammool]

This fixes the crash: ```diff diff --git a/src/usercmd.c b/src/usercmd.c index 44fa578f6..7d844620b 100644 --- a/src/usercmd.c +++ b/src/usercmd.c @@ -1838,7 +1838,7 @@ do_ucmd(exarg_T *eap) if (eap->cmdidx == CMD_USER) cmd = USER_CMD(eap->useridx); else - cmd = USER_CMD_GA(&curbuf->b_ucmds, eap->useridx); + cmd = USER_CMD_GA(&prevwin_curwin()->w_buffer->b_ucmds, eap->useridx); /* * Replace <> in the command by the arguments. ``` Should this change also be applied to the three other occurrences of `curbuf->b_ucmds` (`:command -buffer`, `:comclear`, `:delcommand`) though?

The mechanism to only pass the index without mentioning what buffer it is to be used with is rather brittle. But I can't think of an easy solution for that. In get_user_command_name() it checks the index is not out of range, that would help a bit. It's also a bit strange to use a user command defined for the text buffer when the cmdline window buffer is actually being used. But it's been like that for a long time and I don't recall complaints about it. The command typed in the cmdline window and executed when pressing Enter should hapen after going back to the original buffer. So what remains are commands that apply to the cmdline window itself. It's a bit strange to make them apply to the text buffer, but since the user commands from there are executed it would be logical. The current situation is inconsistent, I think it's better not to change it though, since it's not clear what consistent solution would be better.

…

-- hundred-and-one symptoms of being an internet addict: 159. You get excited whenever discussing your hard drive. /// Bram Moolenaar -- ***@***.*** -- http://www.Moolenaar.net \\\ /// \\\ \\\ sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///