patch 8.2.1051: crash when changing a list while using reduce() on it
Problem: Crash when changing a list while using reduce() on it.
Solution: Lock the list. (closes #6330)
diff --git a/src/list.c b/src/list.c
index c624003..cf0c99f 100644
--- a/src/list.c
+++ b/src/list.c
@@ -2461,6 +2461,8 @@
list_T *l = argvars[0].vval.v_list;
listitem_T *li = NULL;
int r;
+ int prev_locked = l->lv_lock;
+ int called_emsg_start = called_emsg;
CHECK_LIST_MATERIALIZE(l);
if (argvars[2].v_type == VAR_UNKNOWN)
@@ -2480,6 +2482,7 @@
li = l->lv_first;
}
+ l->lv_lock = VAR_FIXED; // disallow the list changing here
copy_tv(&initial, rettv);
for ( ; li != NULL; li = li->li_next)
{
@@ -2488,9 +2491,10 @@
rettv->v_type = VAR_UNKNOWN;
r = call_func(func_name, -1, rettv, 2, argv, &funcexe);
clear_tv(&argv[0]);
- if (r == FAIL)
- return;
+ if (r == FAIL || called_emsg != called_emsg_start)
+ break;
}
+ l->lv_lock = prev_locked;
}
else
{
diff --git a/src/testdir/test_listdict.vim b/src/testdir/test_listdict.vim
index b1af87e..26b0e91 100644
--- a/src/testdir/test_listdict.vim
+++ b/src/testdir/test_listdict.vim
@@ -709,6 +709,15 @@
call assert_fails("call reduce({}, { acc, val -> acc + val }, 1)", 'E897:')
call assert_fails("call reduce(0, { acc, val -> acc + val }, 1)", 'E897:')
call assert_fails("call reduce('', { acc, val -> acc + val }, 1)", 'E897:')
+
+ let g:lut = [1, 2, 3, 4]
+ func EvilRemove()
+ call remove(g:lut, 1)
+ return 1
+ endfunc
+ call assert_fails("call reduce(g:lut, { acc, val -> EvilRemove() }, 1)", 'E742:')
+ unlet g:lut
+ delfunc EvilRemove
endfunc
" splitting a string to a List using split()
diff --git a/src/version.c b/src/version.c
index ba3e621..36da620 100644
--- a/src/version.c
+++ b/src/version.c
@@ -755,6 +755,8 @@
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 1051,
+/**/
1050,
/**/
1049,