fix(events): crash on WinScrolled#35995
Merged
justinmk merged 5 commits intoneovim:masterfrom Nov 26, 2025
Merged
Conversation
zeertzjq
reviewed
Oct 2, 2025
|
Today I compiled neovim with these changes and I wasn't experiencing any more crashes. I'd also done a bit of debugging and from what I understand the free after use occurs when That said it seems valid to pull out the code that needs to read the memory and read it before any autocmd is run that potentially frees it. |
Problem: apply_autocmds function can free both buf_T and win_T pointers Solution: instead retain winids for WinResized and WinScrolled autocmds and use curbuf pointer, which is consistent with other uses of apply_autocmds function
Member
|
Thanks! If you can think of a test case, For testing timing-sensitive behavior, note that:
|
Contributor
Author
|
Please check now. I was actually able to come up with the test case that produces this crash. |
justinmk
reviewed
Oct 5, 2025
justinmk
reviewed
Oct 7, 2025
justinmk
reviewed
Oct 7, 2025
src/nvim/window.c
Outdated
Comment on lines
+5784
to
+5792
| apply_autocmds(EVENT_WINRESIZED, winid, winid, false, first_size_win->w_buffer); | ||
| apply_autocmds(EVENT_WINRESIZED, resize_winid, resize_winid, false, curbuf); |
Member
There was a problem hiding this comment.
Using curbuf here, I think, changes the meaning of <abuf>? If we save the handles as I described, then here we can check bufref_valid :
buf_T *buf = bufref_valid(resize_bufref) ? resize_bufref.br_buf : curbuf;
apply_autocmds(EVENT_WINRESIZED, resize_winid, resize_winid, false, curbuf);Then we still may need to update the documentation. Or maybe we should throw an error instead of calling apply_autocmds, if the buf is no longer valid.
justinmk
approved these changes
Oct 7, 2025
Member
justinmk
left a comment
There was a problem hiding this comment.
The patch is at least harmless, and if it fixes a crash then we can try it. But I think the changes I suggested will help a bit more, please try them.
Note: running the test you added did not fail correctly without the patch, but at least the test does look like it exercises the problem, so I assume ASAN might catch it.
|
@justinmk I wonder if there is any particular reason why this fix wasn't included in the 0.11.5 release. Neovim keeps crashing for me and I have to patch it myself. I'd love to see this fixed and I'd also try to help if I knew what's still missing. Thanks 🙏🏻 |
github-actions bot
pushed a commit
that referenced
this pull request
Nov 26, 2025
Problem: apply_autocmds function can free both buf_T and win_T pointers Solution: instead retain winids for WinResized and WinScrolled autocmds and use curbuf pointer, which is consistent with other uses of apply_autocmds function (cherry picked from commit 0a0c349)
github-actions bot
pushed a commit
that referenced
this pull request
Nov 26, 2025
Problem: apply_autocmds function can free both buf_T and win_T pointers Solution: instead retain winids for WinResized and WinScrolled autocmds and use curbuf pointer, which is consistent with other uses of apply_autocmds function (cherry picked from commit 0a0c349)
|
Successfully created backport PR for |
github-actions bot
pushed a commit
that referenced
this pull request
Nov 26, 2025
Problem: apply_autocmds function can free both buf_T and win_T pointers Solution: instead retain winids for WinResized and WinScrolled autocmds and use curbuf pointer, which is consistent with other uses of apply_autocmds function (cherry picked from commit 0a0c349)
yochem
pushed a commit
to yochem/neovim
that referenced
this pull request
Dec 15, 2025
Problem: apply_autocmds function can free both buf_T and win_T pointers Solution: instead retain winids for WinResized and WinScrolled autocmds and use curbuf pointer, which is consistent with other uses of apply_autocmds function
2 tasks
justinmk
added a commit
to justinmk/neovim
that referenced
this pull request
Jan 26, 2026
Following is a list of fix/feature commits in this release. See `:help news` in Nvim for release notes. FEATURES -------------------------------------------------------------------------------- - b92e92b lsp: support auto-force escalation in client stop neovim#36430 - 808d973 lsp: warn about unknown filetype neovim#36910 FIXES -------------------------------------------------------------------------------- - 5e7af0b :ls: check for finished terminal properly (neovim#37303) - 6ce7b9b api: autocmds mess up nvim_get_option_value's dummy buffer - c124594 api: buffer overflow in nvim_buf_get_extmarks overlap neovim#37184 - 7f51431 api: crash when moving curwin to other tabpage neovim#35679 - 7896fe2 api: do not allow opening float to closing buffer - 91ebbc6 api: ignore split_disallowed when opening a float - 10a1df2 api: nvim_get_option_value dummy buffer crashes - da825e5 api: on_bytes gets stale data on :substitute neovim#36487 - a9ffdca api: open_win leak from naughty autocommands - 92849ea api: parse_expression crash with ident and curly - 1db945b api: parse_expression crash with unopened ] and node - 79b67ce appimage: wrong $ARCH used by linuxdeploy neovim#36712 - 46011a4 autocmd: fire TabClosed after freeing tab page - a512d43 autocmd: heap UAF with :bwipe in Syntax autocmd - bea500d autocmd: parsing of comma-separated buflocal patterns - 648cf4e autocmd: skip empty comma-separated patterns properly - fa24e04 buffer: defer w_buffer clearing to prevent dict watcher crash neovim#36748 - 9fb49aa buffer: don't allow changedtick watcher to delete buffer (neovim#36764) - cae3c83 buffer: don't reuse 1-line terminal buffer (neovim#37261) - 6f84ea7 buffer: switching buffer should respect jumpoptions+=view (neovim#36969) - 16ca7ce build: disable problematic marktree assert in RelWithDebInfo builds - c469cba channel: unreference list after callback finishes (neovim#37358) - 43f5297 clipboard: tmux clipboard data may be stale neovim#36787 - 0358f37 clipboard: use tmux only in a tmux session (neovim#36603) - 7e99466 eval: 0 should mean current tabpage in gettabvar() (neovim#36891) - 656ff4c events: crash on WinScrolled neovim#35995 - 63c5a10 install: only install "tee" on Windows neovim#36629 - e8c21a8 langmap: assert failure on mapping to char >= 256 (neovim#37291) - 890c257 lsp: check `nvim.lsp.enable` before `doautoall` neovim#36518 - 275c769 lua: don't remove first char of non-file stacktrace source (neovim#37008) - 83c589d lua: relax `vim.wait()` timeout validation (neovim#36907) - bd2317f lua: separate vim.{g,b,w,t} types neovim#37081 - f21c169 lua: vim._with() doesn't save boolean options properly (neovim#37354) - 9acbf51 lua: vim.wait(math.huge) fails neovim#36885 - 5143419 man.lua: :Man slow/hangs if MANPAGER is set neovim#36689 - df9452e man.lua: show_toc condition may cause infinite loop neovim#36979 - 124c182 marks: wrong line('w$', win) with conceal_lines (neovim#37047) - 6ef1b65 normal: assertion failure with "gk" in narrow window (neovim#37444) - 5ca2eb5 remote: remote-ui connect timeout on slow networks neovim#36800 - 2a3cd8d rpc: don't overwrite already received results on error (neovim#37339) - e0fdfd3 scripts: release.sh - ba600c4 session: window sizes not stored with float windows (neovim#37344) - 53090ab statusline: scope truncation bookkeeping - 800118e terminal: :edit should respect 'bufhidden' with exited job (neovim#37301) - 4b41c28 terminal: <Ignore> should be no-op (neovim#37494) - 074d342 terminal: avoid multiple terminals writing to same buffer (neovim#37219) - 2cc7873 terminal: crash when TermClose deletes other buffers - ea87192 terminal: crash when TermClose switches back to terminal buffer - ceed171 terminal: crash with race between buffer close and OSC 2 (neovim#37225) - acc46e1 terminal: handle closing terminal with pending TermRequest (neovim#37227) - bb31e7b terminal: inconsistent mode change when switching buffer (neovim#37215) - 40c974e terminal: restore options properly when switching buffer (neovim#37485) - 46f569a treesitter: use metadata in :EditQuery captures neovim#37116 - 076f799 trust: :trust command on Windows neovim#36509 - d997c8e tutor: escape tutor filename neovim#36539 - fcd0517 ui.open: use "start" instead of deprecated "rundll32" neovim#36731 - 6a507ba vim.fs: abspath(".") returns "/…/." (neovim#36584) - d974c68 vim.fs: root() should always return absolute path neovim#36466 - 91fd4d1 vim.loader: randomized AppImage path pollutes luac cache neovim#35636 - 45cda1b vim.loader: randomized AppImage path pollutes luac cache neovim#36944 - d9631c7 window: crash closing only non-float if autocmds :tabonly (neovim#37218) - f7e2554 window: crash closing split if autocmds close other splits (neovim#37233) - 7a9bced window: disallow closing autocmd window in other tabpage - 88619e1 window: handle closing the only non-float in other tabpage - d38ba7e window: restore b_nwindows if win_close_othertab keeps window - 6338d2d window: win_move_after UAF from naughty autocmds (neovim#37065) - fac7c10 windows: set manifest resource ID to 1 in nvim.rc for MinGW (neovim#36611) BUILD -------------------------------------------------------------------------------- - d0ed06d haiku os support neovim#36639 - a94647b build(windows): restore "tee" on Windows neovim#36627 - 1f93acc build(windows): vendor xxd.c (neovim#36755) REVERTED CHANGES -------------------------------------------------------------------------------- - ae25f69 fix: vim.lsp.omnifunc should not throw away other items VIM PATCHES -------------------------------------------------------------------------------- - b3eab00 229f79c: runtime(yaml): fix wrong order of undo_ftplugin suboptions - 89f8e97 3a324c8: runtime(doc): Fix typo in syntax.txt (neovim#37522) - d1cd79a 64799a5: runtime(doc): clarify the behavior of CTRL-Z - 0978d83 7bc9880: runtime(make): do not automatically indent after a special target - 781da75 8.1.0753: printf format not checked for semsg() (neovim#37248) - 44eae48 9.1.0893: No test that undofile format does not regress (neovim#37193) - 9a50420 9.1.1872: Cmdline history not updated when mapping <Up> and <CR> (neovim#36334) - d1604e0 9.1.1969: Wrong cursor position after formatting with long 'formatprg' (neovim#36918) - fda8d2c 9.1.2028: [security]: Buffer-overflow with incomplete multi-byte chars (neovim#37133) - f96e401 9.1.2055: Division by zero in :file after failing to wipe buffer (neovim#37268) - f8961c3 9.1.2058: b_locked_split is not checked for :sbuffer - 9f2b991 9.1.2066: :wqall! doesn't close a terminal like :qall! does (neovim#37314) - b1fa8f1 9.1.2068: :bd/bw may try to switch to a closing buffer - 600d9f3 9.1.2086: Memory leak when skipping invalid literal dict - 0cc15be 9.1.2087: Crash when using :tabonly in BufUnload - d052d22 9.1.2090: Last buffer not freed with EXITFREE - 537e8d6 9.1.2095: :wqall! doesn't quit when using :quit in BufWritePost - 0b1f5a1 9.1.2105: tests: not enough tests for using plain_vgetc() (neovim#37521) - 0da1e4b 9.1.2107: :normal may change cmdline history (neovim#37523) - a66fce6 98a0cbf: patch 9.1.1971: crash with invalid positional argument 0 in printf() (neovim#36919) - 85404d1 eb732ed: runtime(doc): Wrap overlength lines in uganda.txt (neovim#36550) - a93b5a7 fe8c8b1: runtime(doc): fix outdated :function help - 0706c55 partial:9.1.1955: sort() does not handle large numbers correctly (neovim#36840)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Save window info before running autocmds since they can free windows.
fixes: #35803