On Wed, Mar 26, 2008 at 10:15 PM, Bram Moolenaar <[EMAIL PROTECTED]> wrote:
> Dominique Pelle wrote:
>
> > Valgrind memory checker detects use of freed memory in Vim-7.1.285
> > when using 'set autochdir' and when Vim is compiled with -DEXITFREE.
> >
> > ==6925== Invalid read of size 4
> > ==6925== at 0x8054471: do_autochdir (buffer.c:1472)
> > ==6925== by 0x8052E31: close_buffer (buffer.c:445)
> > ==6925== by 0x8113AE3: free_all_mem (misc2.c:1089)
> > ==6925== by 0x814B244: mch_exit (os_unix.c:2951)
> > ==6925== by 0x80E6320: getout (main.c:1342)
> > ==6925== by 0x80AB880: ex_quit (ex_docmd.c:6227)
> > ==6925== by 0x80A5952: do_one_cmd (ex_docmd.c:2623)
> > ==6925== by 0x80A319E: do_cmdline (ex_docmd.c:1099)
> > ==6925== by 0x80A2850: do_cmdline_cmd (ex_docmd.c:705)
> > ==6925== by 0x80E80CC: exe_commands (main.c:2665)
> > ==6925== by 0x80E5A9E: main (main.c:875)
> > ==6925== Address 0x4AF8A9C is 76 bytes inside a block of size 4,516 free'd
> > ==6925== at 0x402237F: free (vg_replace_malloc.c:233)
> > ==6925== by 0x8114365: vim_free (misc2.c:1580)
> > ==6925== by 0x8053182: free_buffer (buffer.c:616)
> > ==6925== by 0x8052EAA: close_buffer (buffer.c:467)
> > ==6925== by 0x8113AE3: free_all_mem (misc2.c:1089)
> > ==6925== by 0x814B244: mch_exit (os_unix.c:2951)
> > ==6925== by 0x80E6320: getout (main.c:1342)
> > ==6925== by 0x80AB880: ex_quit (ex_docmd.c:6227)
> > ==6925== by 0x80A5952: do_one_cmd (ex_docmd.c:2623)
> > ==6925== by 0x80A319E: do_cmdline (ex_docmd.c:1099)
> > ==6925== by 0x80A2850: do_cmdline_cmd (ex_docmd.c:705)
> > ==6925== by 0x80E80CC: exe_commands (main.c:2665)
> > (more errors follow)
> >
> > Steps to reproduce:
> >
> > 1/ Run Vim with Valgrind with 2 files:
> >
> > $ valgrind vim -u NONE -c 'set autochdir|q!' foo bar 2> valgrind.log
> >
> > 2/ Observe in valgrind.log errors when exiting vim
> >
> >
> > Function free_all_mem() frees all buffers calling close_buffer(...)
> > in a loop on all buffers:
> >
> > 1085 /* Free all buffers. */
> > 1086 for (buf = firstbuf; buf != NULL; )
> > 1087 {
> > 1088 nextbuf = buf->b_next;
> > 1089 close_buffer(NULL, buf, DOBUF_WIPE);
> > 1090 if (buf_valid(buf))
> > 1091 buf = nextbuf; /* didn't work, try next one */
> > 1092 else
> > 1093 buf = firstbuf;
> > 1094 }
> >
> > Inside close_buffer(), DO_AUTOCHDIR uses both buf (before it's being freed)
> > and curbuf. The problem is that curbuf may have been already freed in a
> > previous iteration. So DO_AUTOCHDIR uses freed memory when accessing
> > curbuf.
> >
> > I attach a patch that fixes it by checking whether curbuf is still valid
> > before calling DO_AUTOCHDIR. Another way of fixing it in misc2.c
> > could be to free all buffers (except curbuf) and then free curbuf last.
>
> How about solving this by resetting 'autochdir' first? This also avoids
> doing things that don't make sense.
>
>
> *** ../vim-7.1.285/src/misc2.c Wed Feb 20 12:22:59 2008
> --- src/misc2.c Wed Mar 26 21:02:57 2008
> ***************
> *** 1082,1088 ****
> win_free_all();
> #endif
>
> ! /* Free all buffers. */
>
> for (buf = firstbuf; buf != NULL; )
> {
> nextbuf = buf->b_next;
> --- 1083,1093 ----
> win_free_all();
> #endif
>
> ! /* Free all buffers. Reset 'autochdir' to avoid accessing things that
> ! * were freed already. */
> ! #ifdef FEAT_AUTOCHDIR
> ! p_acd = FALSE;
> ! #endif
>
> for (buf = firstbuf; buf != NULL; )
> {
> nextbuf = buf->b_next;
Yes, resetting 'autochdir' works as well. Thanks!
-- Dominique
--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---
