On Jan 18, 2008 6:46 AM, Yegappan Lakshmanan <[EMAIL PROTECTED]> wrote:
>
> Hi all,
>
> I am observing that Vim crashes when trying to complete the arguments to
> an user defined command in the cmdline window. I see this with Vim 7.1.180.
>
> To reproduce this crash, use the following sample code:
>
> -------------------- crash.vim -----------------------------------------
> function! s:Myfunc(ArgLead, CmdLine, CursorPos)
> return ["apple", "orange", "grapes"]
> endfunction
>
> command! -nargs=1 -complete=customlist,s:Myfunc Crashvim :echo '<args>'
> -----------------------------------------------------------------------------
>
> After sourcing the above file, open the cmdline window using "q:'.
> In the cmdline window, enter the "Crashvim" command and then
> try to complete the arguments to the command by pressing <Tab>.
> Now Vim crashes with the following traceback:
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x00072c00 in call_user_expand_func (user_expand_func=0x4b774
> <call_func_retlist>, xp=0x1cc924, num_file=0xffbee138,
> file=0xffbee134) at ex_getln.c:4669
> 4669 keep = ccline.cmdbuff[ccline.cmdlen];
> (cisco-6.1.0-gdb) bt
> #0 0x00072c00 in call_user_expand_func (user_expand_func=0x4b774
> <call_func_retlist>, xp=0x1cc924, num_file=0xffbee138,
> file=0xffbee134) at ex_getln.c:4669
> #1 0x000735d4 in ExpandFromContext (xp=0x1cc924, pat=0x392f70 "^",
> num_file=0xffbee138, file=0xffbee134, options=-4267724) at
> ex_getln.c:4758
> #2 0x00073b3c in expand_cmdline (xp=0x1cc924, str=0x37b310 "Crashvim
> ", col=3747696, matchcount=0xffbee138, matches=0xffbee134) at
> ex_getln.c:4228
> #3 0x0002a804 in ins_compl_next (allow_get_expansion=1, count=0,
> insert_match=1) at edit.c:4010
> #4 0x0002b368 in ins_complete (c=22) at edit.c:4585
> #5 0x00030df8 in edit (cmdchar=1912832, startln=1911808, count=1) at
> edit.c:1338
> #6 0x000e5310 in op_change (oap=0xffbee5f8) at ops.c:2598
> #7 0x000dc548 in do_pending_operator (cap=0xffbee548, old_col=0,
> gui_yank=0) at normal.c:1909
> #8 0x000dd88c in normal_cmd (oap=0xffbee5f8, toplevel=1) at normal.c:1174
> #9 0x0009c5c0 in main_loop (cmdwin=1, noexmode=0) at main.c:1181
> #10 0x00078e6c in getcmdline (firstc=58, count=1, indent=0) at ex_getln.c:6052
> #11 0x00067e84 in do_cmdline (cmdline=0x0, getline=0x79bd0
> <getexline>, cookie=0x0, flags=0) at ex_docmd.c:995
> #12 0x000d9344 in nv_colon (cap=0xffbeedf8) at normal.c:5175
> #13 0x000dd808 in normal_cmd (oap=0xffbeeea8, toplevel=1) at normal.c:1148
> #14 0x0009c5c0 in main_loop (cmdwin=0, noexmode=0) at main.c:1181
> #15 0x000a0764 in main (argc=1911808, argv=0x1) at main.c:940
>
> Is anyone else able to reproduce this crash?
>
> - Yegappan
Yes, I can also reproduce it with vim 7.1 (Patches 1-230) on
Linux x86 built with 'configure --with-features=huge'. My stack
trace looks similar to yours (only line numbers are slightly different
because I'm using a newer version of vim).
cclin.cmdbuff is a NULL pointer at line 4680 of ex_getln.c:
4661 static void *
4662 call_user_expand_func(user_expand_func, xp, num_file, file)
4663 void *(*user_expand_func) __ARGS((char_u *, int,
char_u **, int>
4664 expand_T *xp;
4665 int *num_file;
4666 char_u ***file;
4667 {
4668 char_u keep;
4669 char_u num[50];
4670 char_u *args[3];
4671 int save_current_SID = current_SID;
4672 void *ret;
4673 struct cmdline_info save_ccline;
4674
4675 if (xp->xp_arg == NULL || xp->xp_arg[0] == '\0')
4676 return NULL;
4677 *num_file = 0;
4678 *file = NULL;
4679
!!4680 keep = ccline.cmdbuff[ccline.cmdlen];
4681 ccline.cmdbuff[ccline.cmdlen] = 0;
I tried to run with valgrind memory checker but it does not show
anything more before dereferencing NULL pointer at line 4680.
-- Dominique
--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---
