On Feb 12, 2008 9:55 PM, Ankit Jain <[EMAIL PROTECTED]> wrote:
> Hi,
>
> > When I run this I get an error for not being able to connect. Thus you
> > probably do this with a running netbeans. Perhaps the netbeans side has
> > something to do with this?
>
> No, actually I'm trying to embed this in MonoDevelop. You can reproduce this
> w/o that too --
>
> start this on one terminal-> netcat -l -p 9000
> And from another do
> gvim --servername abc -nb:localhost:9000:foo
>
> You should get a connection on first term,
>
> AUTH foo
> 0:version=0 "2.4"
> 0:startupDone=0
>
> Type this in that terminal-
> 1:create!1
>
> Now you can try hello and then backspace in gvim, should repro the
> bug.
I'm not familiar with netbeans, but I tried what you just described and
I could reproduce the bug.
I then tried it with valgrind memory checker and it detected a
bug (access to freed memory):
$ valgrind ./vim -g --servername abc -nb:localhost:9000:foo 2> vg.log
==28631== Invalid read of size 1
==28631== at 0x40238D0: memmove (mc_replace_strmem.c:514)
==28631== by 0x81087DC: del_bytes (misc1.c:2289)
==28631== by 0x810857A: del_chars (misc1.c:2179)
==28631== by 0x81084E7: del_char (misc1.c:2152)
==28631== by 0x806FDED: ins_bs (edit.c:8566)
==28631== by 0x8064875: edit (edit.c:1057)
==28631== by 0x812F6E4: invoke_edit (normal.c:8809)
==28631== by 0x812F689: nv_edit (normal.c:8782)
==28631== by 0x8122E86: normal_cmd (normal.c:1152)
==28631== by 0x80E5D2D: main_loop (main.c:1181)
==28631== by 0x80E587D: main (main.c:940)
==28631== Address 0x50035FD is 5 bytes inside a block of size 6 free'd
==28631== at 0x402237F: free (vg_replace_malloc.c:233)
==28631== by 0x8113F5D: vim_free (misc2.c:1580)
==28631== by 0x80F8650: ml_flush_line (memline.c:3149)
==28631== by 0x80FAE99: ml_find_line_or_offset (memline.c:4719)
==28631== by 0x81E0E29: pos2off (netbeans.c:3529)
==28631== by 0x81DFF27: netbeans_removed (netbeans.c:2988)
==28631== by 0x8108764: del_bytes (misc1.c:2277)
==28631== by 0x810857A: del_chars (misc1.c:2179)
==28631== by 0x81084E7: del_char (misc1.c:2152)
==28631== by 0x806FDED: ins_bs (edit.c:8566)
==28631== by 0x8064875: edit (edit.c:1057)
==28631== by 0x812F6E4: invoke_edit (normal.c:8809)
==28631== by 0x812F689: nv_edit (normal.c:8782)
==28631== by 0x8122E86: normal_cmd (normal.c:1152)
==28631== by 0x80E5D2D: main_loop (main.c:1181)
==28631== by 0x80E587D: main (main.c:940)
memmove(...) is being called on already freed memory.
Here is the relevant code in misc1.c
!!! 2205 oldp = ml_get(lnum);
....
2275 #ifdef FEAT_NETBEANS_INTG
2276 if (was_alloced && usingNetbeans)
!!! 2277 netbeans_removed(curbuf, lnum, col, count);
2278 /* else is handled by ml_replace() */
2279 #endif
2280 if (was_alloced)
2281 newp = oldp; /* use same
allocated memory */
2282 else
2283 { /* need to
allocate a new line */
2284 newp = alloc((unsigned)(oldlen + 1 - count));
2285 if (newp == NULL)
2286 return FAIL;
2287 mch_memmove(newp, oldp, (size_t)col);
2288 }
!!! 2289 mch_memmove(newp + col, oldp + col + count, (size_t)movelen);
oldp pointer is obtained at line 2205 with ml_get().
Then call to netbeans_removed(...) frees that memory.
Then oldp is used later at line 2289 (and valgrind
then detects the bug).
I'm attaching a patch which seems to fix it for me
(+ a few typos).
I'm using vim-7.1.245 on Linux x86 built with
"configure --with-features=huge".
-- Dominique
--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---
Index: misc1.c
===================================================================
RCS file: /cvsroot/vim/vim7/src/misc1.c,v
retrieving revision 1.78
diff -c -r1.78 misc1.c
*** misc1.c 19 Jan 2008 14:59:38 -0000 1.78
--- misc1.c 12 Feb 2008 23:30:38 -0000
***************
*** 2274,2280 ****
--- 2274,2283 ----
was_alloced = ml_line_alloced(); /* check if oldp was allocated */
#ifdef FEAT_NETBEANS_INTG
if (was_alloced && usingNetbeans)
+ {
netbeans_removed(curbuf, lnum, col, count);
+ oldp = ml_get(lnum);
+ }
/* else is handled by ml_replace() */
#endif
if (was_alloced)
***************
*** 3978,3984 ****
/* remove trailing path separator */
#ifndef MACOS_CLASSIC
/* With MacOS path (with colons) the final colon is required */
! /* to avoid confusion between absoulute and relative path */
if (pend > p && after_pathsep(p, pend))
--pend;
#endif
--- 3981,3987 ----
/* remove trailing path separator */
#ifndef MACOS_CLASSIC
/* With MacOS path (with colons) the final colon is required */
! /* to avoid confusion between absolute and relative path */
if (pend > p && after_pathsep(p, pend))
--pend;
#endif
***************
*** 5689,5695 ****
else if (lookfor_ctor_init || class_or_struct)
{
/* we have something found, that looks like the start of
! * cpp-base-class-declaration or contructor-initialization */
cpp_base_class = TRUE;
lookfor_ctor_init = class_or_struct = FALSE;
*col = 0;
--- 5692,5698 ----
else if (lookfor_ctor_init || class_or_struct)
{
/* we have something found, that looks like the start of
! * cpp-base-class-declaration or constructor-initialization */
cpp_base_class = TRUE;
lookfor_ctor_init = class_or_struct = FALSE;
*col = 0;
***************
*** 6146,6152 ****
pos_T our_paren_pos;
char_u *start;
int start_brace;
! #define BRACE_IN_COL0 1 /* '{' is in comumn 0 */
#define BRACE_AT_START 2 /* '{' is at start of line */
#define BRACE_AT_END 3 /* '{' is at end of line */
linenr_T ourscope;
--- 6149,6155 ----
pos_T our_paren_pos;
char_u *start;
int start_brace;
! #define BRACE_IN_COL0 1 /* '{' is in column 0 */
#define BRACE_AT_START 2 /* '{' is at start of line */
#define BRACE_AT_END 3 /* '{' is at end of line */
linenr_T ourscope;
***************
*** 6369,6375 ****
if (curwin->w_cursor.lnum > 1)
{
/* If the start comment string matches in the previous
! * line, use the indent of that line pluss offset. If
* the middle comment string matches in the previous
* line, use the indent of that line. XXX */
look = skipwhite(ml_get(curwin->w_cursor.lnum - 1));
--- 6372,6378 ----
if (curwin->w_cursor.lnum > 1)
{
/* If the start comment string matches in the previous
! * line, use the indent of that line plus offset. If
* the middle comment string matches in the previous
* line, use the indent of that line. XXX */
look = skipwhite(ml_get(curwin->w_cursor.lnum - 1));
***************
*** 8222,8228 ****
if (*that && *that != ';') /* not a comment line */
{
! /* test *that != '(' to accomodate first let/do
* argument if it is more than one line */
if (!vi_lisp && *that != '(' && *that != '[')
firsttry++;
--- 8225,8231 ----
if (*that && *that != ';') /* not a comment line */
{
! /* test *that != '(' to accommodate first let/do
* argument if it is more than one line */
if (!vi_lisp && *that != '(' && *that != '[')
firsttry++;
