vim crashed when :q window

[Shane-XB-Qian]

Steps to reproduce

when i am debugging / verifying this tagbar PR preservim/tagbar#866 vim crashed.
please check the bt, no idea if you can repro it, since it is plugin depended.

Expected behaviour

not crashed.

Version of Vim

v9.1.26

Environment

linux

Logs and stack traces

#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737341322752) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140737341322752) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140737341322752, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007ffff74c6476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007ffff74ac7f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff750d676 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff765fb77 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#6  0x00007ffff7524cfc in malloc_printerr (str=str@entry=0x7ffff7662620 "corrupted size vs. prev_size in fastbins") at ./malloc/malloc.c:5664
#7  0x00007ffff752599c in malloc_consolidate (av=av@entry=0x7ffff769ec80 <main_arena>) at ./malloc/malloc.c:4771
#8  0x00007ffff7527bdb in _int_malloc (av=av@entry=0x7ffff769ec80 <main_arena>, bytes=bytes@entry=2192) at ./malloc/malloc.c:3965
#9  0x00007ffff752a5f9 in __libc_calloc (n=n@entry=2192, elem_size=elem_size@entry=1) at ./malloc/malloc.c:3679
#10 0x00005555555a66c0 in lalloc (message=1, size=2192) at alloc.c:246
#11 alloc_clear (size=size@entry=2192) at alloc.c:177
#12 0x00005555557b65b2 in create_funccal (rettv=0x7fffffffa720, fp=0x5555561dd5b0) at userfunc.c:2772
#13 call_user_func (fp=0x5555561dd5b0, argcount=2, argvars=0x7fffffffa180, rettv=0x7fffffffa720, funcexe=0x7fffffffa350, selfdict=0x0) at userfunc.c:2845
#14 0x00005555557b756e in call_user_func_check (fp=0x5555561dd5b0, argcount=2, argvars=0x7fffffffa180, rettv=0x7fffffffa720, funcexe=0x7fffffffa350, selfdict=<optimized out>) at userfunc.c:3299
#15 0x00005555557b7c12 in call_func (funcname=funcname@entry=0x555556ae1b00 "s:Getlist(0, type)", len=len@entry=9, rettv=rettv@entry=0x7fffffffa720, argcount_in=argcount_in@entry=2, argvars_in=argvars_in@entry=0x7fffffffa180, funcexe=funcexe@entry=0x7fffffffa350) at userfunc.c:3923
#16 0x00005555557b80f7 in get_func_tv (name=name@entry=0x555556ae1b00 "s:Getlist(0, type)", len=9, rettv=rettv@entry=0x7fffffffa720, arg=arg@entry=0x7fffffffa6c0, evalarg=evalarg@entry=0x7fffffffa7b0, funcexe=0x7fffffffa350) at userfunc.c:2013
#17 0x00005555555f4381 in eval_func (arg=arg@entry=0x7fffffffa6c0, evalarg=evalarg@entry=0x7fffffffa7b0, name=name@entry=0x5555567c3e9b "s:Getlist(0, type)", name_len=name_len@entry=9, rettv=rettv@entry=0x7fffffffa720, flags=flags@entry=1, basetv=0x0) at eval.c:2581
#18 0x00005555555fa3f4 in eval9 (arg=0x7fffffffa6c0, rettv=0x7fffffffa720, evalarg=0x7fffffffa7b0, want_string=<optimized out>) at eval.c:4493
#19 0x00005555555fb73e in eval7 (want_string=0, evalarg=0x7fffffffa7b0, rettv=0x7fffffffa720, arg=0x7fffffffa6c0) at eval.c:3857
#20 eval6 (evalarg=0x7fffffffa7b0, rettv=0x7fffffffa720, arg=0x7fffffffa6c0) at eval.c:3636
#21 eval5 (arg=0x7fffffffa6c0, rettv=0x7fffffffa720, evalarg=0x7fffffffa7b0) at eval.c:3525
#22 0x00005555555fba7c in eval4 (arg=0x7fffffffa6c0, rettv=0x7fffffffa720, evalarg=0x7fffffffa7b0) at eval.c:3376
#23 0x00005555555fc1b2 in eval3 (evalarg=0x7fffffffa7b0, rettv=0x7fffffffa720, arg=0x7fffffffa6c0) at eval.c:3237
#24 eval2 (arg=arg@entry=0x7fffffffa6c0, rettv=rettv@entry=0x7fffffffa720, evalarg=evalarg@entry=0x7fffffffa7b0) at eval.c:3111
#25 0x00005555555fd47a in eval1 (evalarg=0x7fffffffa7b0, rettv=0x7fffffffa720, arg=0x7fffffffa6c0) at eval.c:2957
#26 eval0_retarg (arg=0x5555567c3e9b "s:Getlist(0, type)", rettv=0x7fffffffa720, eap=0x7fffffffaa10, evalarg=0x7fffffffa7b0, retarg=0x0) at eval.c:2866
#27 0x00005555555fd911 in eval0 (evalarg=0x7fffffffa7b0, eap=0x7fffffffaa10, rettv=0x7fffffffa720, arg=<optimized out>) at eval.c:2801
#28 eval_for_line (arg=<optimized out>, errp=errp@entry=0x7fffffffa7ac, eap=eap@entry=0x7fffffffaa10, evalarg=evalarg@entry=0x7fffffffa7b0) at eval.c:2196
#29 0x0000555555635709 in ex_while (eap=0x7fffffffaa10) at ex_eval.c:1355
#30 0x0000555555631a6a in do_one_cmd (cookie=0x7fffffffa9b0, fgetline=0x555555626bb0 <get_loop_line>, cstack=0x7fffffffabc0, flags=7, cmdlinep=0x7fffffffa970) at ex_docmd.c:2582
#31 do_cmdline (cmdline=cmdline@entry=0x0, fgetline=fgetline@entry=0x5555557aec10 <get_func_line>, cookie=cookie@entry=0x555556a9f500, flags=flags@entry=7) at ex_docmd.c:994
#32 0x00005555557b6ff6 in call_user_func (fp=0x55555631ede0, argcount=<optimized out>, argvars=<optimized out>, rettv=<optimized out>, funcexe=<optimized out>, selfdict=<optimized out>) at userfunc.c:3126
#33 0x00005555557b756e in call_user_func_check (fp=0x55555631ede0, argcount=1, argvars=0x7fffffffba20, rettv=0x7fffffffbc30, funcexe=0x7fffffffbcc0, selfdict=<optimized out>) at userfunc.c:3299
#34 0x00005555557b7c12 in call_func (funcname=funcname@entry=0x555556b7e340 "\200\375R203_Hier", len=len@entry=-1, rettv=rettv@entry=0x7fffffffbc30, argcount_in=argcount_in@entry=1, argvars_in=argvars_in@entry=0x7fffffffba20, funcexe=funcexe@entry=0x7fffffffbcc0) at userfunc.c:3923
#35 0x00005555557b80f7 in get_func_tv (name=name@entry=0x555556b7e340 "\200\375R203_Hier", len=len@entry=-1, rettv=rettv@entry=0x7fffffffbc30, arg=arg@entry=0x7fffffffbc10, evalarg=evalarg@entry=0x7fffffffbd20, funcexe=funcexe@entry=0x7fffffffbcc0) at userfunc.c:2013
#36 0x00005555557b8f13 in ex_call_inner (evalarg=0x7fffffffbd20, funcexe_init=0x7fffffffbc60, startarg=0x55555651182b "(0)", arg=0x7fffffffbc10, name=0x555556b7e340 "\200\375R203_Hier", eap=0x7fffffffc0e0) at userfunc.c:6103
#37 ex_call (eap=0x7fffffffc0e0) at userfunc.c:6451
#38 0x0000555555631a6a in do_one_cmd (cookie=0x7fffffffd420, fgetline=0x5555555aa5e0 <getnextac>, cstack=0x7fffffffc290, flags=11, cmdlinep=0x7fffffffc040) at ex_docmd.c:2582
#39 do_cmdline (cmdline=cmdline@entry=0x555556bec4d0 "call s:Hier(0)", fgetline=0x5555555aa5e0 <getnextac>, cookie=<optimized out>, flags=flags@entry=11) at ex_docmd.c:994
#40 0x00005555557ad7ef in do_ucmd (eap=eap@entry=0x7fffffffcb60) at usercmd.c:1961
#41 0x0000555555631e3c in do_one_cmd (cookie=0x7fffffffd420, fgetline=0x5555555aa5e0 <getnextac>, cstack=0x7fffffffcd10, flags=7, cmdlinep=0x7fffffffcac0) at ex_docmd.c:2575
#42 do_cmdline (cmdline=cmdline@entry=0x0, fgetline=fgetline@entry=0x5555555aa5e0 <getnextac>, cookie=cookie@entry=0x7fffffffd420, flags=flags@entry=7) at ex_docmd.c:994
#43 0x00005555555ac239 in apply_autocmds_group (event=event@entry=EVENT_WINENTER, fname=0x555556bbb540 "", fname@entry=0x0, fname_io=fname_io@entry=0x0, force=force@entry=0, group=group@entry=-3, buf=0x555556c838d0, eap=0x0) at autocmd.c:2314
#44 0x00005555555ad1d8 in apply_autocmds (event=event@entry=EVENT_WINENTER, fname=fname@entry=0x0, fname_io=fname_io@entry=0x0, force=force@entry=0, buf=<optimized out>) at autocmd.c:1779
#45 0x00005555557f29af in win_enter_ext (wp=wp@entry=0x555556c8e7a0, flags=flags@entry=25) at window.c:5426
#46 0x00005555557f2da5 in win_enter (undo_sync=1, wp=<optimized out>) at window.c:5282

[chrisbra]

This will be hard to fix if we cannot reproduce this.

corrupted size vs. prev_size in fastbins

That is an internal error from the libc.

[dpelle]

To bug reporter @Shane-XB-Qian : can you try to reproduce with a asan build?

• it should make the bug more reproducible
• and if the bug happens, it will show useful information on stderr

[Shane-XB-Qian]

i donot think so, should be similar with bt, or anyway i am afraid i cannot repro it solidly.
according to that trace, i am guessing it should be some flaw when 'win_enter', e.g 'switchbuf' specially 'uselast'.
tho not sure where, but recently changes on those maybe helpful to recall the places, the logic or the code itself.

[chrisbra]

closing as unreproducible