Crash: vim_dialog_yesnocancel

[przepompownia]

Problem

It's an accidental side effect of testing #24136 with nvim-qt

I accidentaly closed nvim-qt window before crash expected from #24136, i.e. when Telescope window was still shown, and got another crash.

https://github.com/neovim/neovim/assets/11404453/96234728-fec8-4f3e-b3db-05f4a6f23368

=================================================================
==787438==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000181a40 at pc 0x5607b2294690 bp 0x7ffe9e2682b0 sp 0x7ffe9e2682a8
READ of size 4 at 0x611000181a40 thread T0
    #0 0x5607b229468f in msgpack_rpc_from_object .../src/nvim/msgpack_rpc/helpers.c:331:23
    #1 0x5607b229996d in msgpack_rpc_from_array .../src/nvim/msgpack_rpc/helpers.c:415:5
    #2 0x5607b163782f in push_call .../src/nvim/api/ui.c:584:3
    #3 0x5607b1657c28 in remote_ui_event .../src/nvim/api/ui.c:1037:3
    #4 0x5607b2a8de58 in ui_call_event .../src/nvim/ui.c:677:5
    #5 0x5607b2a9e508 in ui_call_msg_show .../build/src/nvim/auto/ui_events_call.generated.h:427:3
    #6 0x5607b21de5fb in msg_ext_ui_flush .../src/nvim/message.c:3187:5
    #7 0x5607b2aa6ce0 in ui_flush .../src/nvim/ui.c:498:3
    #8 0x5607b1f5cbc9 in get_keystroke .../src/nvim/input.c:98:5
    #9 0x5607b21f3a43 in do_dialog .../src/nvim/message.c:3541:13
    #10 0x5607b21f4424 in vim_dialog_yesnocancel .../src/nvim/message.c:3793:11
    #11 0x5607b1ca7c04 in dialog_changed .../src/nvim/ex_cmds2.c:213:11
    #12 0x5607b1ca7714 in check_changed .../src/nvim/ex_cmds2.c:176:7
    #13 0x5607b1ca9f6b in check_changed_any .../src/nvim/ex_cmds2.c:358:11
    #14 0x5607b1d1e135 in ex_quit_all .../src/nvim/ex_docmd.c:4625:24
    #15 0x5607b1ce953f in execute_cmd0 .../src/nvim/ex_docmd.c:1634:7
    #16 0x5607b1cc6696 in do_one_cmd .../src/nvim/ex_docmd.c:2293:7
    #17 0x5607b1cb6eee in do_cmdline .../src/nvim/ex_docmd.c:592:20
    #18 0x5607b1cbc060 in do_cmdline_cmd .../src/nvim/ex_docmd.c:291:10
    #19 0x5607b169111e in nvim_command .../src/nvim/api/vimscript.c:142:3
    #20 0x5607b15fd567 in handle_nvim_command .../build/src/nvim/auto/api/private/dispatch_wrappers.generated.h:8703:3
    #21 0x5607b228063a in request_event .../src/nvim/msgpack_rpc/channel.c:423:19
    #22 0x5607b28d3b29 in state_handle_k_event .../src/nvim/state.c:117:7
    #23 0x5607b197ee01 in insert_handle_key .../src/nvim/edit.c:877:5
    #24 0x5607b195a48b in insert_execute .../src/nvim/edit.c:668:10
    #25 0x5607b28d38ec in state_enter .../src/nvim/state.c:99:26
    #26 0x5607b1961ea9 in insert_enter .../src/nvim/edit.c:337:5
    #27 0x5607b1956cfb in edit .../src/nvim/edit.c:1263:3
    #28 0x5607b2310a2e in invoke_edit .../src/nvim/normal.c:6279:7
    #29 0x5607b22e69d2 in nv_edit .../src/nvim/normal.c:6256:5
    #30 0x5607b22d0185 in normal_execute .../src/nvim/normal.c:1202:3
    #31 0x5607b28d38ec in state_enter .../src/nvim/state.c:99:26
    #32 0x5607b22b3830 in normal_enter .../src/nvim/normal.c:501:3
    #33 0x5607b140acb6 in main .../src/nvim/main.c:641:3
    #34 0x7fb69ae6f189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #35 0x7fb69ae6f244 in __libc_start_main csu/../csu/libc-start.c:381:3
    #36 0x5607b1348f50 in _start (.../bin/nvim+0xc55f50) (BuildId: 998f1b061e54cb5afc8955cc9de9470749b57285)

0x611000181a40 is located 0 bytes inside of 256-byte region [0x611000181a40,0x611000181b40)
freed by thread T0 here:
    #0 0x5607b13cbaf2 in free (.../bin/nvim+0xcd8af2) (BuildId: 998f1b061e54cb5afc8955cc9de9470749b57285)
    #1 0x5607b21a0938 in xfree .../src/nvim/memory.c:134:3
    #2 0x5607b162360f in api_free_array .../src/nvim/api/private/helpers.c:592:3
    #3 0x5607b21de6a2 in msg_ext_ui_flush .../src/nvim/message.c:3193:5
    #4 0x5607b1943c2b in showmode .../src/nvim/drawscreen.c:902:3
    #5 0x5607b191f1b9 in update_screen .../src/nvim/drawscreen.c:663:5
    #6 0x5607b1d21095 in ex_redraw .../src/nvim/ex_docmd.c:6170:3
    #7 0x5607b1ce953f in execute_cmd0 .../src/nvim/ex_docmd.c:1634:7
    #8 0x5607b1cc6696 in do_one_cmd .../src/nvim/ex_docmd.c:2293:7
    #9 0x5607b1cb6eee in do_cmdline .../src/nvim/ex_docmd.c:592:20
    #10 0x5607b1cbc060 in do_cmdline_cmd .../src/nvim/ex_docmd.c:291:10
    #11 0x5607b169111e in nvim_command .../src/nvim/api/vimscript.c:142:3
    #12 0x5607b14670a4 in nlua_api_nvim_command .../build/src/nvim/auto/lua_api_c_bindings.generated.c:5611:3
    #13 0x5607b2e1e895 in lj_BC_FUNCC (.../bin/nvim+0x272b895) (BuildId: 998f1b061e54cb5afc8955cc9de9470749b57285)

previously allocated by thread T0 here:
    #0 0x5607b13cc1c6 in __interceptor_realloc (.../bin/nvim+0xcd91c6) (BuildId: 998f1b061e54cb5afc8955cc9de9470749b57285)
    #1 0x5607b21a0ae6 in xrealloc .../src/nvim/memory.c:168:15
    #2 0x5607b21f1f9b in msg_ext_emit_chunk .../src/nvim/message.c:2141:3
    #3 0x5607b21de4d0 in msg_ext_ui_flush .../src/nvim/message.c:3185:3
    #4 0x5607b2aa6ce0 in ui_flush .../src/nvim/ui.c:498:3
    #5 0x5607b1f5cbc9 in get_keystroke .../src/nvim/input.c:98:5
    #6 0x5607b21f3a43 in do_dialog .../src/nvim/message.c:3541:13
    #7 0x5607b21f4424 in vim_dialog_yesnocancel .../src/nvim/message.c:3793:11
    #8 0x5607b1ca7c04 in dialog_changed .../src/nvim/ex_cmds2.c:213:11
    #9 0x5607b1ca7714 in check_changed .../src/nvim/ex_cmds2.c:176:7
    #10 0x5607b1ca9f6b in check_changed_any .../src/nvim/ex_cmds2.c:358:11
    #11 0x5607b1d1e135 in ex_quit_all .../src/nvim/ex_docmd.c:4625:24
    #12 0x5607b1ce953f in execute_cmd0 .../src/nvim/ex_docmd.c:1634:7
    #13 0x5607b1cc6696 in do_one_cmd .../src/nvim/ex_docmd.c:2293:7
    #14 0x5607b1cb6eee in do_cmdline .../src/nvim/ex_docmd.c:592:20
    #15 0x5607b1cbc060 in do_cmdline_cmd .../src/nvim/ex_docmd.c:291:10
    #16 0x5607b169111e in nvim_command .../src/nvim/api/vimscript.c:142:3
    #17 0x5607b15fd567 in handle_nvim_command .../build/src/nvim/auto/api/private/dispatch_wrappers.generated.h:8703:3
    #18 0x5607b228063a in request_event .../src/nvim/msgpack_rpc/channel.c:423:19
    #19 0x5607b28d3b29 in state_handle_k_event .../src/nvim/state.c:117:7
    #20 0x5607b197ee01 in insert_handle_key .../src/nvim/edit.c:877:5
    #21 0x5607b195a48b in insert_execute .../src/nvim/edit.c:668:10
    #22 0x5607b28d38ec in state_enter .../src/nvim/state.c:99:26
    #23 0x5607b1961ea9 in insert_enter .../src/nvim/edit.c:337:5
    #24 0x5607b1956cfb in edit .../src/nvim/edit.c:1263:3
    #25 0x5607b2310a2e in invoke_edit .../src/nvim/normal.c:6279:7
    #26 0x5607b22e69d2 in nv_edit .../src/nvim/normal.c:6256:5
    #27 0x5607b22d0185 in normal_execute .../src/nvim/normal.c:1202:3
    #28 0x5607b28d38ec in state_enter .../src/nvim/state.c:99:26
    #29 0x5607b22b3830 in normal_enter .../src/nvim/normal.c:501:3

SUMMARY: AddressSanitizer: heap-use-after-free .../src/nvim/msgpack_rpc/helpers.c:331:23 in msgpack_rpc_from_object
Shadow bytes around the buggy address:
  0x0c22800282f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2280028300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280028310: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2280028320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280028330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2280028340: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x0c2280028350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280028360: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c2280028370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280028380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280028390: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==787438==ABORTING

Steps to reproduce

Currently I cannot reproduce it on the example from #24136

Expected behavior

No crash

Neovim version (nvim -v)

v0.10.0-dev-594+g421c66f74

Vim (not Nvim) behaves the same?

-

Operating system/version

Debian Sid

Terminal name/version

tmux 3.3a-4, kitty 0.26.5

$TERM environment variable

tmux-256color

Installation

build from repo

[zeertzjq]

Sounds very similar to #21604

[przepompownia]

At my environment it's enough to reproduce by closing nvim-qt window while Telescope builtin dialog is open. Unlike #24136 this bug occurs every time for me. I'll provide simpler config if possible in free time.

[zeertzjq]

Is this with noice?

[przepompownia]

Good question. It does not occur without Noice UI.

Strange thing: I can reproduce it on binary (751b9d73fdf6114b1f14026826306d8a41234862) built with ASAN only (CC=clang make CMAKE_EXTRA_FLAGS="-DENABLE_ASAN_UBSAN=ON").