Problem: Last buffer not freed with EXITFREE (after 9.1.2087).
Solution: Free the last buffer when inside free_all_mem()
(zeertzjq).
This isn't really a memory leak, as the last buffer's memory is still
reachable via pointers like firstbuf and lastbuf. But it's possible that
this may cause false ASAN warnings in the future, which is what EXITFREE
is supposed to prevent.
closes: vim/vim#191946c118afeaa
(cherry picked from commit 960cba7b3b)
Problem: Crash when using :tabonly in BufUnload.
Solution: Set curbuf when setting curwin->w_buffer. Don't wipe out a
buffer if there are no other buffers. Don't decrement
b_nwindows if it was 0 before buf_freeall() (zeertzjq).
fixes: vim/vim#19088#issuecomment-3710172769
closes: vim/vim#19186fa64f92f6a
(cherry picked from commit eb5a7cc0dd)
Removed code doesn't seem to do anything? Looks like a clobbered remnant from
when do_filetype_autocmd lived in did_set_string_option.
Doc comment for wipe_buffer doesn't decrement top_file_num since a2d25b7 (2016),
which presumably means the comment on marks doesn't apply either. (fmark_T::fnum
can't refer to the wrong buffer as numbers aren't reused here anymore)
(cherry picked from commit 40114d1631)
Problem: printf format not checked for semsg().
Solution: Add GNUC attribute and fix reported problems. (Dominique Pelle,
closesvim/vim#3805)
b5443cc46d
Cherry-pick a change from patch 8.2.3830.
Co-authored-by: Bram Moolenaar <Bram@vim.org>
(cherry picked from commit ef522420f2)
Problem: :bdelete/bunload/bwipeout may attempt to switch to a closing
buffer, which fails. (after 9.1.2058)
Solution: don't consider switching to closing buffers (Sean Dewar)
closes: vim/vim#1910763d53de72d
Co-authored-by: Sean Dewar <6256228+seandewar@users.noreply.github.com>
(cherry picked from commit e002e4d7fc)
Problem: b_locked_split is not checked for :sbuffer, which allows
autocommands to leave windows open to freed buffers.
Solution: In do_buffer_ext, check just before possibly splitting, after
handling 'switchbuf'. Leave win_split to handle the check for
curbuf. (needed even if curbuf is not the target, as setting
the buffer after splitting may fail) (Sean Dewar)
closes: vim/vim#19096ac5c8ab6cc
Co-authored-by: Sean Dewar <6256228+seandewar@users.noreply.github.com>
(cherry picked from commit 5f871007d7)
Problem: Division by zero in :file after failing to wipe buffer
(after 8.2.4631).
Solution: Still call buf_clear_file() when failing to wipe buffer
(zeertzjq).
closes: vim/vim#190881aa5ca4ecb
(cherry picked from commit 97bfc0c99b)
Problem: :edit and :enew may reuse a 1-line terminal buffer, causing
the new buffer to still be a terminal buffer.
Solution: Don't reuse a terminal buffer, as it's not reused when it has
more than 1 line.
After this change close_buffer() is the only place where buf_freeall()
can be called on a terminal buffer, so move the buf_close_terminal()
call into buf_freeall() to save some code. Furthermore, closing the
terminal in buf_freeall() is probably more correct anyway, as it is
"things allocated for a buffer that are related to the file".
Also, remove the useless check for on_detach callbacks deleting buffer.
Even if b_locked fails to prevent that, the crash will happen at the end
of buf_updates_unload() first. On the other hand, many other call sites
of buf_updates_unload() and other buffer_updates_* functions don't set
b_locked, which may be a problem as well...
(cherry picked from commit 23aa4853b3)
Problem: Crash when deleting terminal buffer and TermClose switches
back to the terminal buffer.
Solution: Set b_locked_split.
Co-authored-by: Sean Dewar <6256228+seandewar@users.noreply.github.com>
(cherry picked from commit ad85871ca1)
Problem: Crash when deleting terminal buffer and TermClose deletes
other buffers.
Solution: Close the terminal after restoring b_nwindows.
(cherry picked from commit 7297e9d339)
Problem: Calling termopen() or nvim_open_term() on a buffer with an
existing terminal leads to two terminals writing to the same
buffer if the terminal job is still running, or memory leak
if the terminal job has exited.
Solution: Close the terminal if the terminal job has exited, otherwise
report an error.
Problem: nvim_win_set_config may crash when attempting to move curwin to a
different tabpage if there is no other non-float available to switch to.
Solution: fix the crash. Fix ONE_WINDOW checks in winframe_find_altwin and
win_altframe to consider floating windows by instead using one_window. Allow
one_window to consider non-current tabpages. We can use one_window in
win_close_othertab now to also better reflect its use in win_close.
Co-authored-by: Sean Dewar <6256228+seandewar@users.noreply.github.com>
Problem: can't accurately know if close_buffer directly (e.g: not via autocmds)
decremented b_nwindows. This can cause crashes if win_close_othertab decides to
keep the window after calling close_buffer (if it did not free the buffer), as
b_nwindows may remain out-of-sync.
Solution: change the return value of close_buffer to accurately depict whether
it decremented b_nwindows. Check it in win_close_othertab to avoid a crash.
Similar issues may exist in other places that call close_buffer, but I've not
addressed those here (not to mention only one other place even checks its return
value...)
Problem: ml_delete() often called with FALSE argument.
Solution: Use ml_delete_flags(x, ML_DEL_MESSAGE) when argument is TRUE.
ca70c07b72
Co-authored-by: Bram Moolenaar <Bram@vim.org>
Problem: on_detach may be called after buf_freeall and other important things,
plus its textlock restrictions are insufficient. This can cause issues such as
leaks, internal errors and crashes.
Solution: disable buffer updates in buf_freeall, before autocommands (like the
order after #35355 and when do_ecmd reloads a buffer). Don't do so in
free_buffer_stuff; it's not safe to run user code there, and buf_freeall already
runs before then; just free them to avoid leaks if buf_freeall autocommands
registered more for some reason.
(cherry picked from commit 2211953266)
Co-authored-by: Sean Dewar <6256228+seandewar@users.noreply.github.com>
Problem:
Buffer-updates on_detach callback is invoked before buf_freeall(), which
deletes autocmds of the buffer (via apply_autocmds(EVENT_BUFWIPEOUT,
...)). Due to this, buffer-local autocmds executed in on_detach (e.g.,
LspDetach) are not actually invoked.
Solution:
Call buf_updates_unload() before buf_freeall().
(cherry picked from commit 285c04e2d0)
Co-authored-by: Jaehwang Jung <tomtomjhj@gmail.com>
Problem: Patch v8.1.0425 was wrong
Solution: Revert that patch (Hirohito Higashi)
This is because the root cause was fixed in 8.1.0786 and a regression
occurred elsewhere.
related: vim/vim#3455
related: vim/vim#3830fixes: vim/vim#11558closes: vim/vim#178996abe5e4904
Co-authored-by: Hirohito Higashi <h.east.727@gmail.com>
(cherry picked from commit 7230296bdb)
Problem: :bnext doesn't go to unlisted help buffers when cycling
through help buffers (after 9.1.0557).
Solution: Don't check if a help buffer is listed (zeertzjq).
From <https://github.com/vim/vim/issues/4478#issuecomment-498831057>:
> I think we should fix that, since once you get to a non-help buffer
> all unlisted buffers are skipped, thus you won't encounter another
> help buffer.
This implies that cycling through help buffers should work even if help
buffers are unlisted. Otherwise this part of :bnext isn't really useful,
as :h makes help buffers unlisted by default.
related: vim/vim#4478
related: vim/vim#15198closes: vim/vim#179139662f33480
(cherry picked from commit 53ac2ad20a)
Problem: buflist_new() leaks ffname and fails to reuse curbuf when
autocommands from buf_freeall change curbuf. Plus, a new
buffer is not allocated in this case, despite what the comment
above claims.
Solution: Remove the condition so ffname is not leaked and so a new
buffer is allocated like before v8.2.4791. It should not be
possible for undo_ftplugin or buf_freeall autocommands to
delete the buffer as they set b_locked, but to stay consistent
with other uses of buf_freeall, guard against that anyway
(Sean Dewar).
Note that buf is set to NULL if it was deleted to guard against the (rare)
possibility of messing up the "buf != curbuf" condition below if a new buffer
happens to be allocated at the same address.
closes: vim/vim#173190077282c82
Co-authored-by: Sean Dewar <6256228+seandewar@users.noreply.github.com>
(cherry picked from commit 6b9665a507)
Problem: [security]: Possible to open more windows into a closing
buffer without splitting, bypassing existing "b_locked_split"
checks and triggering use-after-free
Solution: Disallow switching to a closing buffer. Editing a closing
buffer (via ":edit", etc.) was fixed in v9.1.0764, but add an
error message and check just "b_locked_split", as "b_locked"
is necessary only when the buffer shouldn't be wiped, and may
be set for buffers that are in-use but not actually closing.
(Sean Dewar)
closes: vim/vim#172466cb1c82840
(cherry picked from commit 627c648252)
Problem: terminal not always resized when switching to its buffer.
Solution: add missing calls to terminal_check_size.
Adjust screen test for v0.11.
(cherry picked from commit e56292071a)
Problem: [fifo] is not displayed when editing a fifo
(after v7.4.2189)
Solution: stat the filename and detect the type correctly
fixes: vim/vim#16702closes: vim/vim#16705f1c3134ee1
Co-authored-by: Christian Brabandt <cb@256bit.org>
Problem: too many strlen() calls in drawscreen.c
Solution: refactor drawscreen.c and remove calls to strlen(),
make get_keymap_str() (in screen.c) return string length
instead of TRUE/FALSE (John Marriott).
a21240b97d
Co-authored-by: John Marriott <basilisk@internode.on.net>
"wininfo" is going to be my next victim. The main problem with wininfo
is that it is "all or nothing", i e either all state about a buffer in a
window is considered valid or none of it is. This needs to be fixed to
address some long running grievances.
For now this is just a warmup: refactor it from a linked list to a
vector.
Problem: Option metadata like list of valid values for an option and
option flags are not listed in the `options.lua` file and are instead
manually defined in C, which means option metadata is split between
several places.
Solution: Put metadata such as list of valid values for an option and
option flags in `options.lua`, and autogenerate the corresponding C
variables and enums.
Supersedes #28659
Co-authored-by: glepnir <glephunter@gmail.com>
Problem: Highlight group id is not propagated to the end of the message call
stack, where ext_messages are emitted.
Solution: Refactor message functions to pass along highlight group id
instead of attr id.
Problem: 'findexpr' can't be used for lambads
(Justin Keyes)
Solution: Replace the findexpr option with the findfunc option
(Yegappan Lakshmanan)
related: vim/vim#15905closes: vim/vim#15976a13f3a4f5d
Co-authored-by: Yegappan Lakshmanan <yegappan@yahoo.com>
Problem: tests: no error check when setting global 'cc'
Solution: also parse and check global 'cc' value (Milly)
closes: vim/vim#15914a441a3eaab
Co-authored-by: Milly <milly.ca@gmail.com>
Problem: [security]: use-after-free when closing a buffer
Solution: When splitting the window and editing a new buffer,
check whether the newly to be edited buffer has been marked
for deletion and abort in this case
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg51b62387be
Co-authored-by: Christian Brabandt <cb@256bit.org>
Problem: [security]: use-after-free in alist_add()
(SuyueGuo)
Solution: Lock the current window, so that the reference to
the argument list remains valid.
This fixes CVE-2024-43374
0a6e57b09b
Co-authored-by: Christian Brabandt <cb@256bit.org>
Problem: Renaming a buffer on startup may cause using freed memory.
Solution: Check if the buffer is used in a window. (closesvim/vim#8955)
d3710cf01e
Cherry-pick Test_echo_true_in_cmd() from Vim.
Co-authored-by: Bram Moolenaar <Bram@vim.org>
This also makes shada reading slightly faster due to avoiding
some copying and allocation.
Use keysets to drive decoding of msgpack maps for shada entries.
Problem:
Variables are often assigned multiple places in common patterns.
Solution:
Replace these common patterns with different patterns that reduce the
number of assignments.
Use `MAX` and `MIN`:
```c
if (x < y) {
x = y;
}
// -->
x = MAX(x, y);
```
```c
if (x > y) {
x = y;
}
// -->
x = MIN(x, y);
```
Use ternary:
```c
int a;
if (cond) {
a = b;
} els {
a = c;
}
// -->
int a = cond ? b : c;
```
Problem: moving in the buffer list doesn't work as documented
(SenileFelineS)
Solution: Skip non-help buffers, when run from normal buffers, else
only move from help buffers to the next help buffer (LemonBoy)
As explained in the help section for :bnext and :bprev the commands
should jump from help buffers to help buffers (and from regular ones to
regular ones).
fixes: vim/vim#4478closes: vim/vim#15198893eeeb445
Co-authored-by: LemonBoy <thatlemon@gmail.com>
Problem: :bwipe doesn't remove file from jumplist and tagstack of other
tabpages. Time complexity of mark_forget_file() is O(n^2) when
removing all entries (after v9.1.0554)
Solution: Use FOR_ALL_TAB_WINDOWS(). Start the loops over the arrays
from the end instead of the start (zeertzjq)
closes: vim/vim#151992e7d89b398
Problem: :bw leaves jumplist and tagstack data around
(Paul "Joey" Clark)
Solution: Wipe jumplist and tagstack references to the wiped buffer
(LemonBoy)
As documented the :bwipeout command brutally deletes all the references
to the buffer, so let's make it delete all the entries in the jump list
and tag stack referring to the wiped-out buffer.
fixes: vim/vim#8201closes: vim/vim#151854ff3a9b1e3
Co-authored-by: LemonBoy <thatlemon@gmail.com>
