Segfault (msgpack)

[qRoC]

Problems

1. exit with status 1 (logs: chan_close_with_error:560: RPC: (null))
2. Crash with status 130:

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x00000003209cd220
Exception Codes:       0x0000000000000001, 0x00000003209cd220

Termination Reason:    Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process:   exc handler [11660]

VM Region Info: 0x3209cd220 is not in any region.  Bytes after previous region: 2385498657  Bytes before following region: 54213684704
      REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      unused __TEXT               2926cc000-2926d0000    [   16K] r--/r-- SM=COW  unused  unknown system shared lib __TEXT
--->  GAP OF 0xd2d930000 BYTES
      commpage (reserved)         fc0000000-1000000000   [  1.0G] ---/--- SM=NUL  reserved VM address space (unallocated)

Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
0   nvim                          	       0x100d60ab4 tui_raw_line + 80
1   nvim                          	       0x100bf62a8 parse_msgpack + 348
2   nvim                          	       0x100bf3ff0 receive_msgpack + 304
3   nvim                          	       0x100af0dc8 read_cb + 404
4   libuv.1.dylib                 	       0x1014e35b4 uv__stream_io + 1004
5   libuv.1.dylib                 	       0x1014ea164 uv__io_poll + 1408
6   libuv.1.dylib                 	       0x1014da93c uv_run + 272
7   nvim                          	       0x100d689bc ui_client_run + 172
8   nvim                          	       0x100b963cc main + 17512
9   dyld                          	       0x198bc60e0 start + 2360

Steps to reproduce

Scroll any file

Expected behavior

No crash/errors

Neovim version (nvim -v)

NVIM v0.10.0-dev-2582+g2a8cef6bd-Homebrew
NVIM v0.10.0-dev-2593+ga6b6d036b-Homebrew
NVIM v0.10.0-dev-2536+g55c9e2c96 <-- broken commit

Vim (not Nvim) behaves the same?

no

Operating system/version

macOS 14

Terminal name/version

Alacritty

$TERM environment variable

xterm-256color

Installation

brew

[qRoC]

Broken commit #55c9e2c

@bfredl

[nyngwang]

Can confirm, I just encountered this at the current HEAD a6b6d03.

[zeertzjq]

Can you build Nvim with ASAN and get an ASAN log?

[qRoC]

Commit: a6b6d036b19a548e3f2a199c6927ac7495c02ea1
Build type: Debug
LuaJIT 2.1.1703358377
Compilation: /usr/bin/clang -g -fno-sanitize-recover=all -fno-omit-frame-pointer -fno-optimize-sibling-calls -fsanitize=undefined -fsanitize=address -Wall -Wextra -pedantic -Wno-unused-parameter -Wstrict-prototypes -std=gnu99 -Wshadow -Wconversion -Wvla -Wdouble-promotion -Wmissing-noreturn -Wmissing-format-attribute -Wmissing-prototypes -fsigned-char -fstack-protector-strong -Wimplicit-fallthrough -fdiagnostics-color=auto -Wl,-export_dynamic -DENABLE_ASAN_UBSAN -DNVIM_LOG_DEBUG -DUNIT_TESTING -DHAVE_UNIBILIUM -D_GNU_SOURCE -DINCLUDE_GENERATED_DECLARATIONS -DEXITFREE -I/opt/homebrew/include/luajit-2.1 -I/opt/homebrew/include -I/Users/qroc/Downloads/neovim/build/src/nvim/auto -I/Users/qroc/Downloads/neovim/build/include -I/Users/qroc/Downloads/neovim/build/cmake.config -I/Users/qroc/Downloads/neovim/src -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX14.4.sdk/usr/include -I/Library/Frameworks/Mono.framework/Headers

---

When crash (interesting fact - sometimes the tmux session with Alacritty dies)

==94808==ERROR: AddressSanitizer: SEGV on unknown address 0x0002edfca120 (pc 0x0001048e23f0 bp 0x00016d0475e0 sp 0x00016d046e30 T0)
==94808==The signal is caused by a READ memory access.
    #0 0x1048e23f0 in tui_raw_line tui.c:1582
    #1 0x1049361a0 in ui_client_event_raw_line ui_client.c:230
    #2 0x103f27a1c in parse_msgpack channel.c:293
    #3 0x103f18aa0 in receive_msgpack channel.c:263
    #4 0x103759adc in read_event rstream.c:191
    #5 0x103759214 in invoke_read_cb rstream.c:204
    #6 0x103757a28 in read_cb rstream.c:133
    #7 0x10610b5b0 in uv__stream_io+0x3e8 (libuv.1.dylib:arm64+0x135b0)
    #8 0x106112160 in uv__io_poll+0x57c (libuv.1.dylib:arm64+0x1a160)
    #9 0x106102938 in uv_run+0x10c (libuv.1.dylib:arm64+0xa938)
    #10 0x10373ddd8 in loop_uv_run loop.c:61
    #11 0x10373d8a8 in loop_poll_events loop.c:82
    #12 0x1049339cc in ui_client_run ui_client.c:131
    #13 0x103be5a34 in main main.c:400
    #14 0x198bc60dc  (<unknown module>)

==94808==Register values:
 x[0] = 0x000000010aa14800   x[1] = 0x0000000075706e69   x[2] = 0x000000003ca59174   x[3] = 0x000000003e642d43
 x[4] = 0x000000003e642e31   x[5] = 0x000000003e642e31   x[6] = 0x0000000000000000   x[7] = 0x0000000000000000
 x[8] = 0x00000002edfca120   x[9] = 0x00000002edfca120  x[10] = 0x0000000000000000  x[11] = 0x0000000000000001
x[12] = 0x0000000108d01580  x[13] = 0x000000016d045c88  x[14] = 0x000000016d045c80  x[15] = 0x0000000000000000
x[16] = 0x0000000198f7f1a0  x[17] = 0x000000010666c5d8  x[18] = 0x0000000000000000  x[19] = 0x000000016d047ae0
x[20] = 0x0000000105d02130  x[21] = 0x0000000000000000  x[22] = 0x0000000000000001  x[23] = 0x0000000000001894
x[24] = 0x0000000000000001  x[25] = 0x000000000000001f  x[26] = 0x0000000105d0219c  x[27] = 0x0000000000000001
x[28] = 0x000000016d049160     fp = 0x000000016d0475e0     lr = 0x00000001049361a4     sp = 0x000000016d046e30
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV tui.c:1582 in tui_raw_line
==94808==ABORTING

==29858==ERROR: AddressSanitizer: ABRT on unknown address 0x000198f16a60 (pc 0x000198f16a60 bp 0x00016fd01d70 sp 0x00016fd01d50 T0)
    #0 0x198f16a60 in __pthread_kill+0x8 (libsystem_kernel.dylib:arm64e+0x9a60)
    #1 0x198e5ba1c in abort+0xb0 (libsystem_c.dylib:arm64e+0x76a1c)
    #2 0x198e5ad0c in __assert_rtn+0x118 (libsystem_c.dylib:arm64e+0x75d0c)
    #3 0x10128d0a4 in unpacker_parse_redraw unpacker.c:462
    #4 0x1012884d8 in unpacker_advance unpacker.c:320
    #5 0x10126b6a8 in parse_msgpack channel.c:288
    #6 0x10125caa0 in receive_msgpack channel.c:263
    #7 0x100a9dadc in read_event rstream.c:191
    #8 0x100a9d214 in invoke_read_cb rstream.c:204
    #9 0x100a9ba28 in read_cb rstream.c:133
    #10 0x10344f5b0 in uv__stream_io+0x3e8 (libuv.1.dylib:arm64+0x135b0)
    #11 0x103456160 in uv__io_poll+0x57c (libuv.1.dylib:arm64+0x1a160)
    #12 0x103446938 in uv_run+0x10c (libuv.1.dylib:arm64+0xa938)
    #13 0x100a81dd8 in loop_uv_run loop.c:61
    #14 0x100a818a8 in loop_poll_events loop.c:82
    #15 0x101c779cc in ui_client_run ui_client.c:131
    #16 0x100f29a34 in main main.c:400
    #17 0x198bc60dc  (<unknown module>)

==29858==Register values:
 x[0] = 0x0000000000000000   x[1] = 0x0000000000000000   x[2] = 0x0000000000000000   x[3] = 0x0000000000000000
 x[4] = 0x0000000000000000   x[5] = 0x000000000000002e   x[6] = 0x000000016f514000   x[7] = 0x00000000000008a0
 x[8] = 0x5d6deffd101239b9   x[9] = 0x5d6defff10d78379  x[10] = 0x000000702dfc03b3  x[11] = 0x000000002dfa03b3
x[12] = 0x000000002dfa03b3  x[13] = 0x0000000000000000  x[14] = 0x0000000000000000  x[15] = 0x0000000000000000
x[16] = 0x0000000000000148  x[17] = 0x000000020afc6c30  x[18] = 0x0000000000000000  x[19] = 0x0000000000000006
x[20] = 0x0000000200c5bac0  x[21] = 0x0000000000000103  x[22] = 0x0000000200c5bba0  x[23] = 0x000000010218b1a0
x[24] = 0x00000001ff95a000  x[25] = 0x000000000000001f  x[26] = 0x000000010300219c  x[27] = 0x0000000000000001
x[28] = 0x000000016fd051a0     fp = 0x000000016fd01d70     lr = 0x0000000198f4ec20     sp = 0x000000016fd01d50
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ABRT (libsystem_kernel.dylib:arm64e+0x9a60) in __pthread_kill+0x8
==29858==ABORTING

Last logs:

DBG 2024-03-15T09:50:05.659 nvim.29932.0 ui_comp_raw_line:522: compositor: invalid row 80 on grid 3
DBG 2024-03-15T09:50:05.659 nvim.29932.0 inbuf_poll:466: blocking... events_enabled=0 events_pending=0
DBG 2024-03-15T09:50:05.659 nvim.29932.0 UI: raw_line (+1 times...)
DBG 2024-03-15T09:50:05.659 nvim.29932.0 UI: win_viewport
DBG 2024-03-15T09:50:05.659 nvim.29932.0 UI: flush
DBG 2024-03-15T09:50:05.659 nvim.29932.0 inbuf_poll:466: blocking... events_enabled=1 events_pending=0
DBG 2024-03-15T09:50:05.795 nvim.29932.0 read_cb:118: closing Stream (0x107301ea0): EOF (end of file)
DBG 2024-03-15T09:50:05.795 nvim.29932.0 stream_close:106: closing Stream: 0x107301ea0
DBG 2024-03-15T09:50:05.795 nvim.29932.0 stream_close:106: closing Stream: 0x107302050
INF 2024-03-15T09:50:05.795 nvim.29932.0 chan_close_with_error:560: RPC: ch 1 was closed by the client

---

Sometimes nvim exit with 141 error (so asan not created), when i build in Debug mode, I See logs:

DBG 2024-03-15T09:37:24.960 nvim.80182.0 state_enter:98: input: K_EVENT
DBG 2024-03-15T09:37:24.960 nvim.80182.0 state_no_longer_safe:315: SafeState reset: ins_typebuf()
DBG 2024-03-15T09:37:24.960 nvim.80182.0 may_trigger_safestate:301: SafeState: Start triggering
DBG 2024-03-15T09:37:24.961 nvim.80182.0 UI: raw_line
DBG 2024-03-15T09:37:24.963 nvim.80182.0 inbuf_poll:466: blocking... events_enabled=0 events_pending=0
DBG 2024-03-15T09:37:24.963 nvim.80182.0 UI: raw_line (+152 times...)
DBG 2024-03-15T09:37:24.963 nvim.80182.0 UI: win_viewport
DBG 2024-03-15T09:37:24.963 nvim.80182.0 UI: flush
DBG 2024-03-15T09:37:24.963 nvim.80182.0 state_enter:98: input: K_EVENT
DBG 2024-03-15T09:37:24.963 nvim.80182.0 state_no_longer_safe:315: SafeState reset: ins_typebuf()
DBG 2024-03-15T09:37:24.963 nvim.80182.0 may_trigger_safestate:301: SafeState: Start triggering
DBG 2024-03-15T09:37:24.964 nvim.80182.0 UI: raw_line
DBG 2024-03-15T09:37:24.966 nvim.80182.0 inbuf_poll:466: blocking... events_enabled=0 events_pending=0
DBG 2024-03-15T09:37:24.966 nvim.80182.0 UI: raw_line (+152 times...)
DBG 2024-03-15T09:37:24.966 nvim.80182.0 UI: win_viewport
DBG 2024-03-15T09:37:24.966 nvim.80182.0 UI: flush
DBG 2024-03-15T09:37:24.966 nvim.80182.0 state_enter:98: input: K_EVENT
DBG 2024-03-15T09:37:24.966 nvim.80182.0 state_no_longer_safe:315: SafeState reset: ins_typebuf()
DBG 2024-03-15T09:37:24.966 nvim.80182.0 may_trigger_safestate:301: SafeState: Start triggering
DBG 2024-03-15T09:37:24.966 ?.80181    log_notify:61: RPC -> 3: [notify]    nvim_input
DBG 2024-03-15T09:37:24.967 ?.80181    receive_msgpack:257: ch 3: parsing 6682 bytes from msgpack Stream: 0x1031020a0
ERR 2024-03-15T09:37:24.967 ?.80181    chan_close_with_error:560: RPC: (null)
DBG 2024-03-15T09:37:24.967 ?.80181    stream_close:106: closing Stream: 0x103101ef0
DBG 2024-03-15T09:37:24.967 ?.80181    stream_close:106: closing Stream: 0x1031020a0
DBG 2024-03-15T09:37:24.967 nvim.80182.0 UI: raw_line
DBG 2024-03-15T09:37:24.969 nvim.80182.0 receive_msgpack:257: ch 1: parsing 36 bytes from msgpack Stream: 0x107c01ea0
DBG 2024-03-15T09:37:24.969 nvim.80182.0 log_notify:61: RPC <- 1: [notify]    nvim_input
DBG 2024-03-15T09:37:24.969 nvim.80182.0 handle_nvim_input:6803: RPC: ch 1: invoke nvim_input
DBG 2024-03-15T09:37:24.969 nvim.80182.0 read_cb:118: closing Stream (0x107c01ea0): EOF (end of file)
DBG 2024-03-15T09:37:24.969 nvim.80182.0 stream_close:106: closing Stream: 0x107c01ea0
DBG 2024-03-15T09:37:24.969 nvim.80182.0 stream_close:106: closing Stream: 0x107c02050
INF 2024-03-15T09:37:24.969 nvim.80182.0 chan_close_with_error:560: RPC: ch 1 was closed by the client
DBG 2024-03-15T09:37:25.079 nvim.80182.0 state_no_longer_safe:315: SafeState reset: ins_typebuf()
INF 2024-03-15T09:37:25.118 ?.80181    on_process_exit:432: exited: pid=80182 status=141 stoptime=0
DBG 2024-03-15T09:37:25.120 ?.80181    stream_close:106: closing Stream: 0x107f24968
INF 2024-03-15T09:37:25.120 ?.80181    os_exit:692: Nvim exit: 141

DBG 2024-03-15T09:45:03.072 nvim.10743.0 UI: raw_line (+170 times...)
DBG 2024-03-15T09:45:03.072 nvim.10743.0 UI: win_viewport
DBG 2024-03-15T09:45:03.072 nvim.10743.0 UI: flush
DBG 2024-03-15T09:45:03.072 nvim.10743.0 state_enter:98: input: K_EVENT
DBG 2024-03-15T09:45:03.072 nvim.10743.0 state_no_longer_safe:315: SafeState reset: ins_typebuf()
DBG 2024-03-15T09:45:03.077 ?.10719    receive_msgpack:257: ch 3: parsing 8192 bytes from msgpack Stream: 0x1078020a0
DBG 2024-03-15T09:45:03.082 ?.10719    log_notify:61: RPC -> 3: [notify]    nvim_input
DBG 2024-03-15T09:45:03.082 ?.10719    receive_msgpack:257: ch 3: parsing 8050 bytes from msgpack Stream: 0x1078020a0
ERR 2024-03-15T09:45:03.082 ?.10719    chan_close_with_error:560: RPC: (null)
DBG 2024-03-15T09:45:03.082 ?.10719    stream_close:106: closing Stream: 0x107801ef0
DBG 2024-03-15T09:45:03.082 ?.10719    stream_close:106: closing Stream: 0x1078020a0
DBG 2024-03-15T09:45:03.082 nvim.10743.0 receive_msgpack:257: ch 1: parsing 36 bytes from msgpack Stream: 0x103401ea0
DBG 2024-03-15T09:45:03.083 nvim.10743.0 log_notify:61: RPC <- 1: [notify]    nvim_input
DBG 2024-03-15T09:45:03.083 nvim.10743.0 handle_nvim_input:6803: RPC: ch 1: invoke nvim_input
DBG 2024-03-15T09:45:03.083 nvim.10743.0 read_cb:118: closing Stream (0x103401ea0): EOF (end of file)
DBG 2024-03-15T09:45:03.083 nvim.10743.0 stream_close:106: closing Stream: 0x103401ea0
DBG 2024-03-15T09:45:03.083 nvim.10743.0 stream_close:106: closing Stream: 0x103402050
INF 2024-03-15T09:45:03.083 nvim.10743.0 chan_close_with_error:560: RPC: ch 1 was closed by the client
INF 2024-03-15T09:45:03.191 nvim.10743.0 emsg_multiline:718: Error executing vim.schedule lua callback: ...vim-treesitter-context/lua/treesitter-context/render.lua:51: 'height' key must be a positive Integer
stack traceback:
        [C]: in function 'nvim_open_win'
        ...vim-treesitter-context/lua/treesitter-context/render.lua:51: in function 'display_window'
        ...vim-treesitter-context/lua/treesitter-context/render.lua:340: in function 'open'
        .../lazy/nvim-treesitter-context/lua/treesitter-context.lua:50: in function 'open'
        .../lazy/nvim-treesitter-context/lua/treesitter-context.lua:111: in function <.../lazy/nvim-treesitter-context/lua/treesitter-context.lua:92>
INF 2024-03-15T09:45:03.212 ?.10719    on_process_exit:432: exited: pid=10743 status=141 stoptime=0
DBG 2024-03-15T09:45:03.215 ?.10719    stream_close:106: closing Stream: 0x10c524968
INF 2024-03-15T09:45:03.215 ?.10719    os_exit:692: Nvim exit: 141

[bfredl]

before investigating this more, can someone confirm they still see this after #27871 ?