Problem : Use-after-free @ 15081.
Diagnostic : Multithreading issue.
Rationale : `get_dict_callback` can return NULL on two different
cases: 1) when the dict doesn't contain the given key;
this case is not considered an error. 2) when the key
exists but there's some problem with its value; this is
considered an error.
Then, code calling `get_dict_callback` in
`common_job_callbacks`, as well as code calling
`common_job_callbacks`, uses `did_emsg` to distinguish
between error/non-error cases.
Suggested error path presumes an error condition within
`common_job_callbacks`, with `did_emsg` being true, but
then being false just after returning to calling code in
`f_termopen`.
That, clearly, could only happen if another thread run in
between those points.
Resolution : Refactor `get_dict_callback` and `common_job_callbacks`, so
that they clearly distinguish between error/non-error
situations, without recurring to globals.
Problem : Dereference of null pointer @ 10812.
Diagnostic : False positive.
Rationale : `args->lv_first` can't be NULL, as we have just stated
above that that there's at least one item.
Resolution : Assert.
The fallowing test (reduced), submitted by @mhinz may free term->buf,
leaving the pointer dangling.
```vim
let s:buf = -1
function! s:exit_handler()
execute 'bdelete!' s:buf
endfunction
vnew
let s:buf = bufnr('%')
let id = termopen('sleep 1', { 'on_exit': function('s:exit_handler') })
call s:test()
```
When the buffer is known to be closing, set term->buf to NULL, and check
buf_valid() in on_refresh().
Helped-by: Marco Hinz (@mhinz)
Problem: A search with end offset gets stuck at end of file. (Gary Johnson)
Solution: When a search doesn't move the cursor repeat it with a higher
count. (Christian Brabandt)
https://github.com/vim/vim/releases/tag/v7-4-636
The original fix 3db0a40d69
does not work for more than one loop iteration, because memory allocated
in the previous iteration could be reused in the current iteration.
Because expand_wildcards() never reads the variables *num_file
and *file before the first assignment to them, the initial
values for these variables can be anything. So instead of
calling expand_shellcmd() with *file = "" we set *file = NULL.
That should help coverity see, that not a array-typed value
is freed.
Helped-by: Eliseo Martínez <eliseomarmol@gmail.com>
Be more specific in the description of mch_expand_wildcards():
This function will never free memory pointed to by its arguments.
If OK is returned, *file will always point to allocated memory.
*num_file is set to the number of pointers in *file.
If FAIL is returned *file is set to NULL and *num_file to 0.
If gen_expand_wildcards() returns FAIL, no memory allocation in this
function needs to be undone.
If expand_wildcards() returns FAIL, no memory allocation in this
function needs to be undone.
Helped-by: Eliseo Martínez <eliseomarmol@gmail.com>
Helped-by: Michael Reed <m.reed@mykolab.com>
Problem: With some regexp patterns the NFA engine uses many states and
becomes very slow. To the user it looks like Vim freezes.
Solution: When the number of states reaches a limit fall back to the old
engine. (Christian Brabandt)
https://github.com/vim/vim/releases/tag/v7-4-497
Helped-by: David Bürgin <676c7473@gmail.com>
Helped-by: Justin M. Keyes <justinkz@gmail.com>
Helped-by: Scott Prager <splinterofchaos@gmail.com>
Pressing <C-\> and then a mouse click will insert the click into the
terminal as if a keyboard button had been pressed.
Keep track of whether the last input was <C-\> and only call
terminal_send_key() if the next input is a key press.
While in a terminal and insert mode, if an event caused loss of focus,
nvim would stay in the terminal event loop causing an inconsistent view
of internal state and/or segfault.
Remove the "term" argument from terminal_enter() as it only makes sense
to call it with curbuf->terminal. Terminate the loop when switched to a
different buffer.
fixes#2301
This makes :<c-r>* work as expected and
avoids clobbering zero register ("0) when pasting unnamed clipboard
Helped-By: Scott Prager <splinterofchaos@gmail.com>
Helped-By: Michael Reed <m.reed@mykolab.com>
This makes the interpretion consistent with the way newlines are used in
the VIMENC format, while keeping the same fallback behaviour when
regtype is unspecified. Also check both cases explicitly in the tests.
indent/r.vim : change shiftwidth to 2 and minor bug fixes.
indent/rhelp.vim : move the position of the test if the script was already sourced
indent/rmd.vim : minor bug fix
indent/rnoweb.vim : minor bug fix
syntax/r.vim : minor bug fixes and improvement (distinguish = from ==)
channel_write() uses a ref-counted buffer for writing. This buffer
should be released if it was used in "refcount" channel_write() calls.
But calling channel_write() on a closed channel would return early and
not decrease the refcount of the used buffer.
Notifications for a channel will be sent directly if there are no
pending requests (for this channel). Otherwise notifications are queued
for later sending.
But in two cases a notification could be sent with pending requests:
* Broadcasting a notification
* A channel that has just finished its last pending request
would call send_delayed_notifications() for all channels.
To prevent this, every channel can now only send its own delayed
notifications and broadcasting checks for pending requests.
This library makes it easier to script communication with interactive programs.
It is similar to what the "expect" tcl extension does, but uses an object
oriented API and is designed to integrate nicely with Neovim job control.
