seg fault when trying to open a '.swp' existed file

[Shane-XB-Qian]

Describe the bug
seg fault when 1 file was opened in a vim, then tried to open same file in another vim, chose 'q' when prompt '.swp' existed.

To Reproduce
Detailed steps to reproduce the behavior:

1. vim --clean foo.txt
2. another vim
3. trying to open 'foo.txt' with 'ctrlp'
4. prompt '.swp' existed, then chose 'q'
5. seg fault

Expected behavior
no seg fault.

Screenshots
n/a

Environment (please complete the following information):

• Vim v8.2.3083

Additional context
with 'ctrlp'

[Shane-XB-Qian]

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f404090255b in kill () at ../sysdeps/unix/syscall-template.S:78
78	../sysdeps/unix/syscall-template.S: No such file or directory.
(gdb) bt
#0  0x00007f404090255b in kill () at ../sysdeps/unix/syscall-template.S:78
#1  0x00005610dbbcc7b3 in may_core_dump () at os_unix.c:3456
#2  0x00005610dbbcebb4 in may_core_dump () at os_unix.c:3425
#3  mch_exit (r=1) at os_unix.c:3422
#4  0x00005610dbd0ff1c in getout (exitval=1) at main.c:1711
#5  0x00007f4040ac3420 in <signal handler called> () at /lib/x86_64-linux-gnu/libpthread.so.0
#6  0x00005610dbd0a90d in getvcol (wp=wp@entry=0x5610dc28e780, pos=pos@entry=0x5610dc28e7b8, start=start@entry=0x7ffeca1ab6b4, cursor=cursor@entry=0x0, end=end@entry=0x0) at charset.c:1224
#7  0x00005610dbd0ad23 in getvvcol (end=0x0, cursor=0x5610dc28ea40, start=0x0, pos=0x5610dc28e7b8, wp=0x5610dc28e780) at charset.c:1391
#8  getvvcol (wp=wp@entry=0x5610dc28e780, pos=pos@entry=0x5610dc28e7b8, start=start@entry=0x0, cursor=cursor@entry=0x5610dc28ea40, end=end@entry=0x0) at charset.c:1376
#9  0x00005610dbba451f in validate_virtcol_win (wp=0x5610dc28e780) at move.c:819
#10 0x00005610dbbc9799 in did_set_string_option
    (opt_idx=opt_idx@entry=391, varp=0x5610dbde8c50 <p_ve>, new_value_alloced=new_value_alloced@entry=1, oldval=0x5610dcc12e10 "", errbuf=errbuf@entry=0x0, opt_flags=opt_flags@entry=0, value_checked=0x7ffeca1ab884) at optionstr.c:2086
#11 0x00005610dbbcb4cc in set_string_option (opt_idx=opt_idx@entry=391, value=value@entry=0x5610dcc137a0 "all", opt_flags=opt_flags@entry=0) at optionstr.c:542
#12 0x00005610dbbc3e4e in set_option_value (name=0x5610dcc115fa "virtualedit", number=0, string=0x5610dcc137a0 "all", opt_flags=0) at option.c:4354
#13 0x00005610dbb0ea66 in ex_let_one
    (arg=<optimized out>, tv=tv@entry=0x5610dcae0120, copy=copy@entry=1, flags=flags@entry=16, endchars=endchars@entry=0x5610dbd20dc6 ",;]", op=op@entry=0x7ffeca1abb40 "=", var_idx=1)
    at evalvars.c:1459
#14 0x00005610dbb0f3f1 in ex_let_vars
    (copy=<optimized out>, op=0x7ffeca1abb40 "=", flags=<optimized out>, var_count=<optimized out>, semicolon=<optimized out>, tv=<optimized out>, arg_start=<optimized out>) at evalvars.c:973
#15 ex_let_vars (arg_start=<optimized out>, tv=<optimized out>, copy=<optimized out>, semicolon=<optimized out>, var_count=<optimized out>, flags=<optimized out>, op=0x7ffeca1abb40 "=")
    at evalvars.c:924
#16 0x00005610dbb125f0 in ex_let (eap=0x7ffeca1abc40) at evalvars.c:908
#17 0x00005610dbb2bd0d in do_one_cmd (cmdlinep=cmdlinep@entry=0x7ffeca1abec0, flags=flags@entry=7, cstack=cstack@entry=0x7ffeca1abf50, fgetline=fgetline@entry=
    0x5610dbc8dc60 <get_func_line>, cookie=cookie@entry=0x5610dc97a070) at ex_docmd.c:2599

// part of core dump.

[Shane-XB-Qian]

not sure if you can reproduce it, (for now i only faced it when worked with 'ctrlp'), or let it be - close it. :-)

[brammool]

Can you create a longer stack trace? It looks like it happens when the 'virtualedit' option is being set, I wonder how that is triggered.

[Shane-XB-Qian]

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f7dc392655b in kill () at ../sysdeps/unix/syscall-template.S:78
78	../sysdeps/unix/syscall-template.S: No such file or directory.
(gdb) bt
#0  0x00007f7dc392655b in kill () at ../sysdeps/unix/syscall-template.S:78
#1  0x000055e2477d17b3 in may_core_dump () at os_unix.c:3456
#2  0x000055e2477d3bb4 in may_core_dump () at os_unix.c:3425
#3  mch_exit (r=1) at os_unix.c:3422
#4  0x000055e247914f1c in getout (exitval=1) at main.c:1711
#5  0x00007f7dc3ae7420 in <signal handler called> () at /lib/x86_64-linux-gnu/libpthread.so.0
#6  0x000055e24790f90d in getvcol (wp=wp@entry=0x55e247c10780, pos=pos@entry=0x55e247c107b8, start=start@entry=0x7ffcc0a2c6f4, cursor=cursor@entry=0x0, end=end@entry=0x0)
    at charset.c:1224
#7  0x000055e24790fd23 in getvvcol (end=0x0, cursor=0x55e247c10a40, start=0x0, pos=0x55e247c107b8, wp=0x55e247c10780) at charset.c:1391
#8  getvvcol (wp=wp@entry=0x55e247c10780, pos=pos@entry=0x55e247c107b8, start=start@entry=0x0, cursor=cursor@entry=0x55e247c10a40, end=end@entry=0x0) at charset.c:1376
#9  0x000055e2477a951f in validate_virtcol_win (wp=0x55e247c10780) at move.c:819
#10 0x000055e2477ce799 in did_set_string_option
    (opt_idx=opt_idx@entry=391, varp=0x55e2479edc50 <p_ve>, new_value_alloced=new_value_alloced@entry=1, oldval=0x55e24857a800 "", errbuf=errbuf@entry=0x0, opt_flags=opt_flags@entry=0, value_checked=0x7ffcc0a2c8c4) at optionstr.c:2086
#11 0x000055e2477d04cc in set_string_option (opt_idx=opt_idx@entry=391, value=value@entry=0x55e24858e440 "all", opt_flags=opt_flags@entry=0) at optionstr.c:542
#12 0x000055e2477c8e4e in set_option_value (name=0x55e24865454a "virtualedit", number=0, string=0x55e24858e440 "all", opt_flags=0) at option.c:4354
#13 0x000055e247713a66 in ex_let_one
    (arg=<optimized out>, tv=tv@entry=0x55e24861cec0, copy=copy@entry=1, flags=flags@entry=16, endchars=endchars@entry=0x55e247925dc6 ",;]", op=op@entry=0x7ffcc0a2cb80 "=", var_idx=1) at evalvars.c:1459
#14 0x000055e2477143f1 in ex_let_vars
    (copy=<optimized out>, op=0x7ffcc0a2cb80 "=", flags=<optimized out>, var_count=<optimized out>, semicolon=<optimized out>, tv=<optimized out>, arg_start=<optimized out>)
    at evalvars.c:973
#15 ex_let_vars
    (arg_start=<optimized out>, tv=<optimized out>, copy=<optimized out>, semicolon=<optimized out>, var_count=<optimized out>, flags=<optimized out>, op=0x7ffcc0a2cb80 "=")
    at evalvars.c:924
#16 0x000055e2477175f0 in ex_let (eap=0x7ffcc0a2cc80) at evalvars.c:908
#17 0x000055e247730d0d in do_one_cmd (cmdlinep=cmdlinep@entry=0x7ffcc0a2cf00, flags=flags@entry=7, cstack=cstack@entry=0x7ffcc0a2cf90, fgetline=fgetline@entry=
    0x55e247892c60 <get_func_line>, cookie=cookie@entry=0x55e2484eeb10) at ex_docmd.c:2599
#18 0x000055e247731e3c in do_cmdline (cmdline=cmdline@entry=0x0, fgetline=fgetline@entry=0x55e247892c60 <get_func_line>, cookie=cookie@entry=0x55e2484eeb10, flags=flags@entry=7)
    at ex_docmd.c:1001
#19 0x000055e2478995e4 in call_user_func
    (fp=fp@entry=0x55e2482fb570, argcount=argcount@entry=0, argvars=argvars@entry=0x7ffcc0a2dd40, rettv=rettv@entry=0x7ffcc0a2df10, funcexe=funcexe@entry=
    0x7ffcc0a2df40, selfdict=selfdict@entry=0x0) at userfunc.c:2611
#20 0x000055e247899f6a in call_user_func_check (selfdict=<optimized out>, funcexe=0x7ffcc0a2df40, rettv=0x7ffcc0a2df10, argvars=0x7ffcc0a2dd40, argcount=0, fp=0x55e2482fb570)
    at userfunc.c:2758
#21 call_user_func_check (fp=0x55e2482fb570, argcount=0, argvars=0x7ffcc0a2dd40, rettv=0x7ffcc0a2df10, funcexe=0x7ffcc0a2df40, selfdict=<optimized out>) at userfunc.c:2724
#22 0x000055e24789a45a in call_func
    (funcname=funcname@entry=0x55e24861cf80 "context#util#update_state", len=len@entry=-1, rettv=rettv@entry=0x7ffcc0a2df10, argcount_in=argcount_in@entry=0, argvars_in=argvars_in@entry=0x7ffcc0a2dd40, funcexe=funcexe@entry=0x7ffcc0a2df40) at userfunc.c:3236
#23 0x000055e24789aa09 in get_func_tv
    (name=name@entry=0x55e24861cf80 "context#util#update_state", len=len@entry=-1, rettv=rettv@entry=0x7ffcc0a2df10, arg=arg@entry=0x7ffcc0a2def8, evalarg=evalarg@entry=0x7ffcc0a2df90, funcexe=funcexe@entry=0x7ffcc0a2df40) at userfunc.c:1626
#24 0x000055e24789b065 in ex_call (eap=0x7ffcc0a2e0b0) at userfunc.c:4884
#25 0x000055e247730d0d in do_one_cmd (cmdlinep=cmdlinep@entry=0x7ffcc0a2e330, flags=flags@entry=7, cstack=cstack@entry=0x7ffcc0a2e3c0, fgetline=fgetline@entry=
    0x55e247892c60 <get_func_line>, cookie=cookie@entry=0x55e248475890) at ex_docmd.c:2599
#26 0x000055e247731e3c in do_cmdline (cmdline=cmdline@entry=0x0, fgetline=fgetline@entry=0x55e247892c60 <get_func_line>, cookie=cookie@entry=0x55e248475890, flags=flags@entry=7)
    at ex_docmd.c:1001
#27 0x000055e2478995e4 in call_user_func
    (fp=fp@entry=0x55e24830c680, argcount=argcount@entry=1, argvars=argvars@entry=0x7ffcc0a2f170, rettv=rettv@entry=0x7ffcc0a2f340, funcexe=funcexe@entry=
--Type <RET> for more, q to quit, c to continue without paging--
    0x7ffcc0a2f370, selfdict=selfdict@entry=0x0) at userfunc.c:2611
#28 0x000055e247899f6a in call_user_func_check (selfdict=<optimized out>, funcexe=0x7ffcc0a2f370, rettv=0x7ffcc0a2f340, argvars=0x7ffcc0a2f170, argcount=1, fp=0x55e24830c680)
    at userfunc.c:2758
#29 call_user_func_check (fp=0x55e24830c680, argcount=1, argvars=0x7ffcc0a2f170, rettv=0x7ffcc0a2f340, funcexe=0x7ffcc0a2f370, selfdict=<optimized out>) at userfunc.c:2724
#30 0x000055e24789a45a in call_func
    (funcname=funcname@entry=0x55e248344780 "context#update", len=len@entry=-1, rettv=rettv@entry=0x7ffcc0a2f340, argcount_in=argcount_in@entry=1, argvars_in=argvars_in@entry=0x7ffcc0a2f170, funcexe=funcexe@entry=0x7ffcc0a2f370) at userfunc.c:3236
#31 0x000055e24789aa09 in get_func_tv
    (name=name@entry=0x55e248344780 "context#update", len=len@entry=-1, rettv=rettv@entry=0x7ffcc0a2f340, arg=arg@entry=0x7ffcc0a2f328, evalarg=evalarg@entry=0x7ffcc0a2f3c0, funcexe=funcexe@entry=0x7ffcc0a2f370) at userfunc.c:1626
#32 0x000055e24789b065 in ex_call (eap=0x7ffcc0a2f4e0) at userfunc.c:4884
#33 0x000055e247730d0d in do_one_cmd (cmdlinep=cmdlinep@entry=0x7ffcc0a2f760, flags=flags@entry=7, cstack=cstack@entry=0x7ffcc0a2f7f0, fgetline=fgetline@entry=
    0x55e2476b9ef0 <getnextac>, cookie=cookie@entry=0x7ffcc0a2fef0) at ex_docmd.c:2599
#34 0x000055e247731e3c in do_cmdline (cmdline=cmdline@entry=0x0, fgetline=fgetline@entry=0x55e2476b9ef0 <getnextac>, cookie=cookie@entry=0x7ffcc0a2fef0, flags=flags@entry=7)
    at ex_docmd.c:1001
#35 0x000055e2476ba621 in apply_autocmds_group (event=event@entry=EVENT_BUFADD, fname=0x55e24859a830 "", fname@entry=0x0, fname_io=fname_io@entry=0x0, force=<optimized out>, 
    force@entry=0, group=group@entry=-3, buf=buf@entry=0x55e2484a5d20, eap=0x0) at autocmd.c:2123
#36 0x000055e2476bb6d8 in apply_autocmds (event=event@entry=EVENT_BUFADD, fname=fname@entry=0x0, fname_io=fname_io@entry=0x0, force=force@entry=0, buf=buf@entry=0x55e2484a5d20)
    at autocmd.c:1634
#37 0x000055e2476c04ce in buflist_new (ffname_arg=ffname_arg@entry=0x0, sfname_arg=sfname_arg@entry=0x0, lnum=lnum@entry=1, flags=flags@entry=3) at buffer.c:2252
#38 0x000055e2476c5663 in handle_swap_exists (old_curbuf=old_curbuf@entry=0x7ffcc0a301a0) at buffer.c:1133
#39 0x000055e24771fadb in do_ecmd (fnum=fnum@entry=0, ffname=<optimized out>, sfname=<optimized out>, 
    sfname@entry=0x0, eap=eap@entry=0x7ffcc0a32300, newlnum=0, flags=<optimized out>, oldwin=<optimized out>) at ex_cmds.c:3039
#40 0x000055e247733a0f in do_exedit (eap=0x7ffcc0a32300, old_curwin=0x0) at ex_docmd.c:6875
#41 0x000055e247730d0d in do_one_cmd (cmdlinep=cmdlinep@entry=0x7ffcc0a32580, flags=flags@entry=3, cstack=cstack@entry=0x7ffcc0a32610, fgetline=fgetline@entry=
    0x55e247892c60 <get_func_line>, cookie=cookie@entry=0x55e24845fb30) at ex_docmd.c:2599
#42 0x000055e247731e3c in do_cmdline (cmdline=<optimized out>, fgetline=0x55e247892c60 <get_func_line>, cookie=0x55e24845fb30, flags=flags@entry=3) at ex_docmd.c:1001
#43 0x000055e2477060b4 in ex_execute (eap=0x7ffcc0a32dc0) at eval.c:6306
#44 0x000055e247730d0d in do_one_cmd (cmdlinep=cmdlinep@entry=0x7ffcc0a33040, flags=flags@entry=7, cstack=cstack@entry=0x7ffcc0a330d0, fgetline=fgetline@entry=
    0x55e247892c60 <get_func_line>, cookie=cookie@entry=0x55e24845fb30) at ex_docmd.c:2599
#45 0x000055e247731e3c in do_cmdline (cmdline=cmdline@entry=0x0, fgetline=fgetline@entry=0x55e247892c60 <get_func_line>, cookie=cookie@entry=0x55e24845fb30, flags=flags@entry=7)
    at ex_docmd.c:1001
#46 0x000055e2478995e4 in call_user_func
    (fp=fp@entry=0x55e2484e0af0, argcount=argcount@entry=5, argvars=argvars@entry=0x7ffcc0a33eb0, rettv=rettv@entry=0x7ffcc0a344b0, funcexe=funcexe@entry=
    0x7ffcc0a33e60, selfdict=selfdict@entry=0x0) at userfunc.c:2611
#47 0x000055e247899f6a in call_user_func_check (selfdict=<optimized out>, funcexe=0x7ffcc0a33e60, rettv=0x7ffcc0a344b0, argvars=0x7ffcc0a33eb0, argcount=5, fp=0x55e2484e0af0)
    at userfunc.c:2758
#48 call_user_func_check (fp=0x55e2484e0af0, argcount=5, argvars=0x7ffcc0a33eb0, rettv=0x7ffcc0a344b0, funcexe=0x7ffcc0a33e60, selfdict=<optimized out>) at userfunc.c:2724
#49 0x000055e24789a45a in call_func
    (funcname=funcname@entry=0x55e2484e98d0 "s:openfile", len=len@entry=-1, rettv=rettv@entry=0x7ffcc0a344b0, argcount_in=argcount_in@entry=5, argvars_in=argvars_in@entry=0x7ffcc0a33eb0, funcexe=funcexe@entry=0x7ffcc0a33e60) at userfunc.c:3236
#50 0x000055e24789ac0c in func_call (name=0x55e2484e98d0 "s:openfile", args=<optimized out>, partial=0x0, selfdict=0x0, rettv=0x7ffcc0a344b0) at userfunc.c:2995
#51 0x000055e247710854 in call_internal_func (name=<optimized out>, argcount=<optimized out>, argvars=0x7ffcc0a342e0, rettv=0x7ffcc0a344b0) at evalfunc.c:2074
#52 0x000055e24789a694 in call_func
    (funcname=funcname@entry=0x55e2484765d0 "call", len=len@entry=-1, rettv=rettv@entry=0x7ffcc0a344b0, argcount_in=argcount_in@entry=2, argvars_in=argvars_in@entry=0x7ffcc0a342e0, funcexe=funcexe@entry=0x7ffcc0a344e0) at userfunc.c:3254
#53 0x000055e24789aa09 in get_func_tv
    (name=name@entry=0x55e2484765d0 "call", len=len@entry=-1, rettv=rettv@entry=0x7ffcc0a344b0, arg=arg@entry=0x7ffcc0a34498, evalarg=evalarg@entry=0x7ffcc0a34530, funcexe=funcexe@entry=0x7ffcc0a344e0) at userfunc.c:1626
--Type <RET> for more, q to quit, c to continue without paging--
#54 0x000055e24789b065 in ex_call (eap=0x7ffcc0a34650) at userfunc.c:4884
#55 0x000055e247730d0d in do_one_cmd (cmdlinep=cmdlinep@entry=0x7ffcc0a348d0, flags=flags@entry=7, cstack=cstack@entry=0x7ffcc0a34960, fgetline=fgetline@entry=
    0x55e247892c60 <get_func_line>, cookie=cookie@entry=0x55e248323940) at ex_docmd.c:2599
#56 0x000055e247731e3c in do_cmdline (cmdline=cmdline@entry=0x0, fgetline=fgetline@entry=0x55e247892c60 <get_func_line>, cookie=cookie@entry=0x55e248323940, flags=flags@entry=7)
    at ex_docmd.c:1001
#57 0x000055e2478995e4 in call_user_func
    (fp=fp@entry=0x55e2484c57e0, argcount=argcount@entry=1, argvars=argvars@entry=0x7ffcc0a35740, rettv=rettv@entry=0x7ffcc0a35d40, funcexe=funcexe@entry=
    0x7ffcc0a356f0, selfdict=selfdict@entry=0x0) at userfunc.c:2611
#58 0x000055e247899f6a in call_user_func_check (selfdict=<optimized out>, funcexe=0x7ffcc0a356f0, rettv=0x7ffcc0a35d40, argvars=0x7ffcc0a35740, argcount=1, fp=0x55e2484c57e0)
    at userfunc.c:2758
#59 call_user_func_check (fp=0x55e2484c57e0, argcount=1, argvars=0x7ffcc0a35740, rettv=0x7ffcc0a35d40, funcexe=0x7ffcc0a356f0, selfdict=<optimized out>) at userfunc.c:2724
#60 0x000055e24789a45a in call_func
    (funcname=funcname@entry=0x55e2485f2a90 "ctrlp#acceptfile", len=len@entry=-1, rettv=rettv@entry=0x7ffcc0a35d40, argcount_in=argcount_in@entry=1, argvars_in=argvars_in@entry=0x7ffcc0a35740, funcexe=funcexe@entry=0x7ffcc0a356f0) at userfunc.c:3236
#61 0x000055e24789ac0c in func_call (name=0x55e2485f2a90 "ctrlp#acceptfile", args=<optimized out>, partial=0x0, selfdict=0x0, rettv=0x7ffcc0a35d40) at userfunc.c:2995
#62 0x000055e247710854 in call_internal_func (name=<optimized out>, argcount=<optimized out>, argvars=0x7ffcc0a35b70, rettv=0x7ffcc0a35d40) at evalfunc.c:2074
#63 0x000055e24789a694 in call_func
    (funcname=funcname@entry=0x55e2485f2550 "call", len=len@entry=-1, rettv=rettv@entry=0x7ffcc0a35d40, argcount_in=argcount_in@entry=2, argvars_in=argvars_in@entry=0x7ffcc0a35b70, funcexe=funcexe@entry=0x7ffcc0a35d70) at userfunc.c:3254
#64 0x000055e24789aa09 in get_func_tv
    (name=name@entry=0x55e2485f2550 "call", len=len@entry=-1, rettv=rettv@entry=0x7ffcc0a35d40, arg=arg@entry=0x7ffcc0a35d28, evalarg=evalarg@entry=0x7ffcc0a35dc0, funcexe=funcexe@entry=0x7ffcc0a35d70) at userfunc.c:1626
#65 0x000055e24789b065 in ex_call (eap=0x7ffcc0a35ee0) at userfunc.c:4884
#66 0x000055e247730d0d in do_one_cmd (cmdlinep=cmdlinep@entry=0x7ffcc0a36160, flags=flags@entry=7, cstack=cstack@entry=0x7ffcc0a361f0, fgetline=fgetline@entry=
    0x55e247892c60 <get_func_line>, cookie=cookie@entry=0x55e24851b640) at ex_docmd.c:2599
#67 0x000055e247731e3c in do_cmdline (cmdline=cmdline@entry=0x0, fgetline=fgetline@entry=0x55e247892c60 <get_func_line>, cookie=cookie@entry=0x55e24851b640, flags=flags@entry=7)
    at ex_docmd.c:1001
#68 0x000055e2478995e4 in call_user_func
    (fp=fp@entry=0x55e2484c6a50, argcount=argcount@entry=1, argvars=argvars@entry=0x7ffcc0a36fa0, rettv=rettv@entry=0x7ffcc0a37170, funcexe=funcexe@entry=
    0x7ffcc0a371a0, selfdict=selfdict@entry=0x0) at userfunc.c:2611
#69 0x000055e247899f6a in call_user_func_check (selfdict=<optimized out>, funcexe=0x7ffcc0a371a0, rettv=0x7ffcc0a37170, argvars=0x7ffcc0a36fa0, argcount=1, fp=0x55e2484c6a50)
    at userfunc.c:2758
#70 call_user_func_check (fp=0x55e2484c6a50, argcount=1, argvars=0x7ffcc0a36fa0, rettv=0x7ffcc0a37170, funcexe=0x7ffcc0a371a0, selfdict=<optimized out>) at userfunc.c:2724
#71 0x000055e24789a45a in call_func
    (funcname=funcname@entry=0x55e248473890 "\200\375R201_AcceptSelection", len=len@entry=-1, rettv=rettv@entry=0x7ffcc0a37170, argcount_in=argcount_in@entry=1, argvars_in=argvars_in@entry=0x7ffcc0a36fa0, funcexe=funcexe@entry=0x7ffcc0a371a0) at userfunc.c:3236
#72 0x000055e24789aa09 in get_func_tv
    (name=name@entry=0x55e248473890 "\200\375R201_AcceptSelection", len=len@entry=-1, rettv=rettv@entry=0x7ffcc0a37170, arg=arg@entry=0x7ffcc0a37158, evalarg=evalarg@entry=0x7ffcc0a371f0, funcexe=funcexe@entry=0x7ffcc0a371a0) at userfunc.c:1626
#73 0x000055e24789b065 in ex_call (eap=0x7ffcc0a37310) at userfunc.c:4884
#74 0x000055e247730d0d in do_one_cmd (cmdlinep=cmdlinep@entry=0x7ffcc0a37590, flags=flags@entry=0, cstack=cstack@entry=0x7ffcc0a37620, fgetline=fgetline@entry=
    0x55e24773ed60 <getexline>, cookie=cookie@entry=0x0) at ex_docmd.c:2599
#75 0x000055e247731e3c in do_cmdline (cmdline=cmdline@entry=0x0, fgetline=0x55e24773ed60 <getexline>, cookie=cookie@entry=0x0, flags=0) at ex_docmd.c:1001
#76 0x000055e2477af6af in nv_colon (cap=0x7ffcc0a37cf0) at normal.c:3407
#77 0x000055e2477b66f1 in normal_cmd (oap=0x7ffcc0a37db0, toplevel=1) at normal.c:1100
#78 0x000055e247914a02 in main_loop (cmdwin=0, noexmode=0) at main.c:1501
#79 0x000055e247915c23 in vim_main2 () at main.c:878
#80 0x000055e2476b4bff in main (argc=<optimized out>, argv=<optimized out>) at main.c:3273

[dpelle]

Can you try with a asan build (address sanitizer)?
It should be a matter of rebuilding vim after un-commenting these lines in src/Makefile:

SANITIZER_CFLAGS = -g -O0 -fsanitize-recover=all \
                  -fsanitize=address -fsanitize=undefined \
                  -fno-omit-frame-pointer

If asan finds a memory error, it will output stacks on stderr.
So try reproducing the issue with:

$ vim 2> asan.log

And post the content of asan.log if it contains something interesting.

[brammool]

Thanks. I can see the start is here:

#36 0x000055e2476bb6d8 in apply_autocmds (event=event@entry=EVENT_BUFADD, fname=fname@entry=0x0, fname_io=fname_io@entry=0x0, force=force@entry=0, buf=buf@entry=0x55e2484a5d20)
at autocmd.c:1634
#37 0x000055e2476c04ce in buflist_new (ffname_arg=ffname_arg@entry=0x0, sfname_arg=sfname_arg@entry=0x0, lnum=lnum@entry=1, flags=flags@entry=3) at buffer.c:2252
#38 0x000055e2476c5663 in handle_swap_exists (old_curbuf=old_curbuf@entry=0x7ffcc0a301a0) at buffer.c:1133

When Quit is selected at the prompt a new buffer is opened. The triggered autocommands then eventually lead to the place where the crash happens. Nothing stands out what is different here from normally opening a new buffer.

[Shane-XB-Qian]

charset.c:1232:11: runtime error: member access within null pointer of type 'struct buf_T'

// not sure if related, but from asan.log and only such one and build after 'distclean'.

[dpelle]

I installed https://github.com/ctrlpvim/ctrlp.vim
I tried to reproduce the steps in description but I did not see any crash so far using vim-8.2.3090

At step 3, pressing CTRL-P I get:

Error detected while processing function <SNR>64_AcceptSelection[27]..ctrlp#acceptfile[51]..<SNR>64_openfile:
line    7:
E325: ATTENTION
Found a swap file by the name ".foo.txt.swp"
          owned by: pel   dated: za jul 03 19:47:15 2021
         file name: ~pel/sb/vim/src/foo.txt
          modified: no
         user name: pel   host name: pel-cirrus7
        process ID: 28260 (STILL RUNNING)
While opening file "foo.txt"
             dated: za jul 03 19:46:17 2021

(1) Another program may be editing the same file.  If this is the case,
    be careful not to end up with two different instances of the same
    file when making changes.  Quit, or continue with caution.
(2) An edit session for this file crashed.
    If this is the case, use ":recover" or "vim -r foo.txt"
    to recover the changes (see ":help recovery").
    If you did this already, delete the swap file ".foo.txt.swp"
    to avoid this message.

Swap file ".foo.txt.swp" already exists!
[O]pen Read-Only, (E)dit anyway, (R)ecover, (Q)uit, (A)bort: 

But then pressing q I did not see any crash.

[Shane-XB-Qian]

um.. maybe not related to 'ctrlp', but it do crash at my place when trying to reproduce with 'ctrlp'.
// anyway, as your req, the asan.log was above.

[brammool]

``` charset.c:1232:11: runtime error: member access within null pointer of type 'struct buf_T' ``` // not sure if related, but from asan.log and only such one and build after 'distclean'.

Thanks, the previous stack trace didn't show the exact location. So it turns out curwin->w_buffer is NULL. And that is because close_buffer() is called before calling buflist_new(). In this case we just want to create an empty buffer to use for the current buffer. Blocking autocommands seems like the best way to avoid trouble. It's like creating the first empty buffer when Vim starts. Try this patch: *** vim-8.2.3092/src/buffer.c 2021-06-27 22:03:28.637707737 +0200 --- buffer.c 2021-07-03 21:15:54.138076249 +0200 *************** *** 1130,1136 **** --- 1130,1141 ---- close_buffer(curwin, curbuf, DOBUF_UNLOAD, FALSE, FALSE); if (old_curbuf == NULL || !bufref_valid(old_curbuf) || old_curbuf->br_buf == curbuf) + { + // Block autocommands here because curwin->w_buffer is NULL. + block_autocmds(); buf = buflist_new(NULL, NULL, 1L, BLN_CURBUF | BLN_LISTED); + unblock_autocmds(); + } else buf = old_curbuf->br_buf; if (buf != NULL)

…

-- hundred-and-one symptoms of being an internet addict: 88. Every single time you press the 'Get mail' button...it does get new mail. /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// \\\ \\\ sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

[Shane-XB-Qian]

@brammool though not sure if there would be side effect, but yes, i verified, looks this patch fixed this crash.

[brammool]

@brammool though not sure if there would be side effect, but yes, i verified, looks this patch fixed this crash.

Thanks for checking. If autocommands are used to keep track of existing buffers that might be confused. But avoiding the crash in more important. Unfortunately I haven't been able to reproduce the problem in a test. Thus I'll send out the patch without a test. If you can reproduce it in a simple way (without a plugin) let me know. I'll also give it another try.

…

-- From "know your smileys": :----} You lie like Pinocchio /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// \\\ \\\ sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

[dpelle]

• which version of the ctrlp plugin do you use? I could not reproduce it with https://github.com/ctrlpvim/ctrlp.vim.git at git SHA1 f68f4d00b9c99d0d711bfde3b071f0dafd249901 . Maybe the bug is triggered with another version?
• or maybe another plugin has an autocommand that trigger the crash. If you could comment out as much as possible in your ~/.vimrc while still reproducing the crash, it would help.

[brammool]

I did a bit of debugging, and it looks like the situation can only happen when an autocommand wipes out the current buffer.

[Shane-XB-Qian]

@brammool i looked into a bit more,
looks vim --clean -c 'au bufadd * let foo_w = wincol()' can simply reproduce this crash,
since event=event@entry=EVENT_BUFADD.
// perhaps should not block all au, but just bufadd and/or such? and adjust your code in test as well.

[brammool]

I cannot reproduce a problem with that Vim command, also not using valgrind.

When curwin->w_buffer is NULL then no user commands must be executed.

[Shane-XB-Qian]

the repro steps is:

1. vim --clean foo.txt
2. another vim: vim --clean -c 'au bufadd * let foo_w = wincol()'
3. then :e foo.txt
4. chose 'q' or 'a' when prompt '.swp' existed.
5. seg fault.

// perhaps au on wipes out as you said was an issue too.

[Shane-XB-Qian]

wincol() or similar funcs were trying to work on a curwin->w_buffer is NULL, when bufadd or wipes out. I Guess.

[Shane-XB-Qian]

and of course it cannot be reproduced after v8.2.3097 since it blocked all au.

[Shane-XB-Qian]

or maybe 'block all' was acceptable,
just 'test case' you wrote may/can be a bit simplified, and was trying to let be clear the reproduce steps and clarify this issue. :-)

[brammool]

Thanks for the hints, now I managed to make the test fail without the patch.

[Shane-XB-Qian]

:-) and thank you too, let my name and editor/tool stick on vim. glad this would be fixed.