patch 9.0.1609: crash when an object indirectly references itself

brammool · brammool · commit f7ca56f7193f · 2023-06-05T16:53:25.000+01:00
Problem:    Crash when an object indirectly references itself.
Solution:   Avoid clearing an object while it is already being cleared.
            (closes #12494)
diff --git a/src/testdir/test_vim9_class.vim b/src/testdir/test_vim9_class.vim
@@ -925,6 +925,33 @@ func Test_class_garbagecollect()
       echo Point.pl Point.pd
   END
   call v9.CheckScriptSuccess(lines)
+
+  let lines =<< trim END
+      vim9script
+
+      interface View
+      endinterface
+
+      class Widget
+        this.view: View
+      endclass
+
+      class MyView implements View
+        this.widget: Widget
+
+        def new()
+          # this will result in a circular reference to this object
+          this.widget = Widget.new(this)
+        enddef
+      endclass
+
+      var view = MyView.new()
+
+      # overwrite "view", will be garbage-collected next
+      view = MyView.new()
+      test_garbagecollect_now()
+  END
+  call v9.CheckScriptSuccess(lines)
 endfunc
 
 def Test_class_function()
diff --git a/src/version.c b/src/version.c
@@ -695,6 +695,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1609,
 /**/
     1608,
 /**/
diff --git a/src/vim9class.c b/src/vim9class.c
@@ -1497,6 +1497,9 @@ copy_object(typval_T *from, typval_T *to)
     static void
 object_clear(object_T *obj)
 {
+    // Avoid a recursive call, it can happen if "obj" has a circular reference.
+    obj->obj_refcount = INT_MAX;
+
     class_T *cl = obj->obj_class;
 
     // the member values are just after the object structure
@@ -1619,6 +1622,8 @@ object_created(object_T *obj)
     first_object = obj;
 }
 
+static object_T	*next_nonref_obj = NULL;
+
 /*
  * Call this function when an object has been cleared and is about to be freed.
  * It is removed from the list headed by "first_object".
@@ -1632,6 +1637,10 @@ object_cleared(object_T *obj)
 	obj->obj_prev_used->obj_next_used = obj->obj_next_used;
     else if (first_object == obj)
 	first_object = obj->obj_next_used;
+
+    // update the next object to check if needed
+    if (obj == next_nonref_obj)
+	next_nonref_obj = obj->obj_next_used;
 }
 
 /*
@@ -1641,11 +1650,10 @@ object_cleared(object_T *obj)
 object_free_nonref(int copyID)
 {
     int		did_free = FALSE;
-    object_T	*next_obj;
 
-    for (object_T *obj = first_object; obj != NULL; obj = next_obj)
+    for (object_T *obj = first_object; obj != NULL; obj = next_nonref_obj)
     {
-	next_obj = obj->obj_next_used;
+	next_nonref_obj = obj->obj_next_used;
 	if ((obj->obj_copyID & COPYID_MASK) != (copyID & COPYID_MASK))
 	{
 	    // Free the object and items it contains.
@@ -1654,6 +1662,7 @@ object_free_nonref(int copyID)
 	}
     }
 
+    next_nonref_obj = NULL;
     return did_free;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1497,6 +1497,9 @@ copy_object(typval_T from, typval_T to)`
`1497`	`1497`	`static void`
`1498`	`1498`	`object_clear(object_T *obj)`
`1499`	`1499`	`{`
	`1500`	`+ // Avoid a recursive call, it can happen if "obj" has a circular reference.`
	`1501`	`+ obj->obj_refcount = INT_MAX;`
	`1502`	`+`
`1500`	`1503`	`class_T *cl = obj->obj_class;`
`1501`	`1504`
`1502`	`1505`	`// the member values are just after the object structure`
`@@ -1619,6 +1622,8 @@ object_created(object_T *obj)`
`1619`	`1622`	`first_object = obj;`
`1620`	`1623`	`}`
`1621`	`1624`
	`1625`	`+static object_T *next_nonref_obj = NULL;`
	`1626`	`+`
`1622`	`1627`	`/*`
`1623`	`1628`	`* Call this function when an object has been cleared and is about to be freed.`
`1624`	`1629`	`* It is removed from the list headed by "first_object".`
`@@ -1632,6 +1637,10 @@ object_cleared(object_T *obj)`
`1632`	`1637`	`obj->obj_prev_used->obj_next_used = obj->obj_next_used;`
`1633`	`1638`	`else if (first_object == obj)`
`1634`	`1639`	`first_object = obj->obj_next_used;`
	`1640`	`+`
	`1641`	`+ // update the next object to check if needed`
	`1642`	`+ if (obj == next_nonref_obj)`
	`1643`	`+ next_nonref_obj = obj->obj_next_used;`
`1635`	`1644`	`}`
`1636`	`1645`
`1637`	`1646`	`/*`
`@@ -1641,11 +1650,10 @@ object_cleared(object_T *obj)`
`1641`	`1650`	`object_free_nonref(int copyID)`
`1642`	`1651`	`{`
`1643`	`1652`	`int did_free = FALSE;`
`1644`		`- object_T *next_obj;`
`1645`	`1653`
`1646`		`- for (object_T *obj = first_object; obj != NULL; obj = next_obj)`
	`1654`	`+ for (object_T *obj = first_object; obj != NULL; obj = next_nonref_obj)`
`1647`	`1655`	`{`
`1648`		`- next_obj = obj->obj_next_used;`
	`1656`	`+ next_nonref_obj = obj->obj_next_used;`
`1649`	`1657`	`if ((obj->obj_copyID & COPYID_MASK) != (copyID & COPYID_MASK))`
`1650`	`1658`	`{`
`1651`	`1659`	`// Free the object and items it contains.`
`@@ -1654,6 +1662,7 @@ object_free_nonref(int copyID)`
`1654`	`1662`	`}`
`1655`	`1663`	`}`
`1656`	`1664`
	`1665`	`+ next_nonref_obj = NULL;`
`1657`	`1666`	`return did_free;`
`1658`	`1667`	`}`
`1659`	`1668`