Dominique Pelle wrote:
> >> Testing autocommands, I see that Vim-7.2.107 (and older) > >> is using memory already freed when doing silly autocommands > >> such as: > >> > >> $ touch foobar > >> $ valgrind ./vim -u NONE -c 'au! BufReadPre * cd /tmp' \ > >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0-c 'e foobar' 2> vg.l= > og > >> > >> In vg.log, I then see the following error: > >> > >> =3D=3D15058=3D=3D Syscall param open(filename) points to unaddressable b= > yte(s) > >> =3D=3D15058=3D=3D =A0 =A0at 0x40007D2: (within /lib/ld-2.8.90.so) > >> =3D=3D15058=3D=3D =A0 =A0by 0x805365E: open_buffer (buffer.c:130) > >> =3D=3D15058=3D=3D =A0 =A0by 0x8098548: do_ecmd (ex_cmds.c:3655) > >> =3D=3D15058=3D=3D =A0 =A0by 0x80AE8E9: do_exedit (ex_docmd.c:7557) > >> =3D=3D15058=3D=3D =A0 =A0by 0x80AE560: ex_edit (ex_docmd.c:7452) > >> =3D=3D15058=3D=3D =A0 =A0by 0x80A6FE7: do_one_cmd (ex_docmd.c:2622) > >> =3D=3D15058=3D=3D =A0 =A0by 0x80A4867: do_cmdline (ex_docmd.c:1096) > >> =3D=3D15058=3D=3D =A0 =A0by 0x80A3F00: do_cmdline_cmd (ex_docmd.c:702) > >> =3D=3D15058=3D=3D =A0 =A0by 0x80E8A07: exe_commands (main.c:2693) > >> =3D=3D15058=3D=3D =A0 =A0by 0x80E63A7: main (main.c:874) > >> =3D=3D15058=3D=3D =A0Address 0x54312d4 is 4 bytes inside a block of size= > 11 free'd > >> =3D=3D15058=3D=3D =A0 =A0at 0x4024E5A: free (vg_replace_malloc.c:323) > >> =3D=3D15058=3D=3D =A0 =A0by 0x8114D5D: vim_free (misc2.c:1631) > >> =3D=3D15058=3D=3D =A0 =A0by 0x80C97DF: shorten_fnames (fileio.c:5715) > >> =3D=3D15058=3D=3D =A0 =A0by 0x80AF1A9: ex_cd (ex_docmd.c:7942) > >> =3D=3D15058=3D=3D =A0 =A0by 0x80A6FE7: do_one_cmd (ex_docmd.c:2622) > >> =3D=3D15058=3D=3D =A0 =A0by 0x80A4867: do_cmdline (ex_docmd.c:1096) > >> =3D=3D15058=3D=3D =A0 =A0by 0x80CD35A: apply_autocmds_group (fileio.c:88= > 53) > >> =3D=3D15058=3D=3D =A0 =A0by 0x80CCD9B: apply_autocmds_exarg (fileio.c:84= > 81) > >> =3D=3D15058=3D=3D =A0 =A0by 0x80C2246: readfile (fileio.c:723) > >> =3D=3D15058=3D=3D =A0 =A0by 0x805365E: open_buffer (buffer.c:130) > >> =3D=3D15058=3D=3D =A0 =A0by 0x8098548: do_ecmd (ex_cmds.c:3655) > >> =3D=3D15058=3D=3D =A0 =A0by 0x80AE8E9: do_exedit (ex_docmd.c:7557) > > [...snip...] > > > > > Thanks. =A0It's in the todo list. > > > I found another case of an autocommand which also causes > to use freed memory and the proposed patch in my previous > email did not help to fix it. Here is how to reproduce it: > > # Open a file foobar in vim to create swap file .foobar.swp > $ vim foobar > > # In another terminal... > $ vim -u NONE > :au! SwapExists * cd /tmp > :e foobar > > ... and valgrind complains about use of freed memory: > > =3D=3D17226=3D=3D Syscall param open(filename) points to unaddressable byte= > (s) > =3D=3D17226=3D=3D at 0x40007D2: (within /lib/ld-2.8.90.so) > =3D=3D17226=3D=3D by 0x805365E: open_buffer (buffer.c:130) > =3D=3D17226=3D=3D by 0x8098548: do_ecmd (ex_cmds.c:3655) > =3D=3D17226=3D=3D by 0x80AE8E9: do_exedit (ex_docmd.c:7557) > =3D=3D17226=3D=3D by 0x80AE560: ex_edit (ex_docmd.c:7452) > =3D=3D17226=3D=3D by 0x80A6FE7: do_one_cmd (ex_docmd.c:2622) > =3D=3D17226=3D=3D by 0x80A4867: do_cmdline (ex_docmd.c:1096) > =3D=3D17226=3D=3D by 0x812A4BC: nv_colon (normal.c:5233) > =3D=3D17226=3D=3D by 0x8123B40: normal_cmd (normal.c:1200) > =3D=3D17226=3D=3D by 0x80E6969: main_loop (main.c:1180) > =3D=3D17226=3D=3D by 0x80E64B6: main (main.c:939) > =3D=3D17226=3D=3D Address 0x543644c is 4 bytes inside a block of size 11 f= > ree'd > =3D=3D17226=3D=3D at 0x4024E5A: free (vg_replace_malloc.c:323) > =3D=3D17226=3D=3D by 0x8114D5D: vim_free (misc2.c:1631) > =3D=3D17226=3D=3D by 0x80C97DF: shorten_fnames (fileio.c:5715) > =3D=3D17226=3D=3D by 0x80AF1A9: ex_cd (ex_docmd.c:7942) > =3D=3D17226=3D=3D by 0x80A6FE7: do_one_cmd (ex_docmd.c:2622) > =3D=3D17226=3D=3D by 0x80A4867: do_cmdline (ex_docmd.c:1096) > =3D=3D17226=3D=3D by 0x80CD35A: apply_autocmds_group (fileio.c:8853) > =3D=3D17226=3D=3D by 0x80CCD5D: apply_autocmds (fileio.c:8464) > =3D=3D17226=3D=3D by 0x80FA022: do_swapexists (memline.c:3770) > =3D=3D17226=3D=3D by 0x80FA93D: findswapname (memline.c:4130) > =3D=3D17226=3D=3D by 0x80F4A88: ml_open_file (memline.c:553) > =3D=3D17226=3D=3D by 0x80F4BAE: check_need_swap (memline.c:605) > =3D=3D17226=3D=3D by 0x80C206F: readfile (fileio.c:670) > =3D=3D17226=3D=3D by 0x805365E: open_buffer (buffer.c:130) > =3D=3D17226=3D=3D by 0x8098548: do_ecmd (ex_cmds.c:3655) > =3D=3D17226=3D=3D by 0x80AE8E9: do_exedit (ex_docmd.c:7557) > =3D=3D17226=3D=3D by 0x80AE560: ex_edit (ex_docmd.c:7452) > =3D=3D17226=3D=3D by 0x80A6FE7: do_one_cmd (ex_docmd.c:2622) > =3D=3D17226=3D=3D by 0x80A4867: do_cmdline (ex_docmd.c:1096) > =3D=3D17226=3D=3D by 0x812A4BC: nv_colon (normal.c:5233) > =3D=3D17226=3D=3D by 0x8123B40: normal_cmd (normal.c:1200) > =3D=3D17226=3D=3D by 0x80E6969: main_loop (main.c:1180) > =3D=3D17226=3D=3D by 0x80E64B6: main (main.c:939) > > The problem happens here because readfile() in fileio.c > calls check_need_swap(newfile); at line fileio.c:670 and > this function can trigger an autocommand (SwapExists) > which can potentially free or realloc curbuf->b_fname > or curbuf->b_ffname. > > If parameters fname or sfname of readfile() are aliased to > curbuf->b_fname or curbuf->b_ffname, then readfile() may > read free memory after the autocommand has been executed. > > The new attached patch fixes this new problem and also fixes > the 2 errors described in previous email. I'm not sure how > clean the fix is. Please review it. At least it should help to > understand what the problem is. Thanks again. Autocommands can be nasty in their side effects. Many problems like this were fixed, there probably are a few more. -- >From "know your smileys": :----} You lie like Pinocchio /// Bram Moolenaar -- b...@moolenaar.net -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ download, build and distribute -- http://www.A-A-P.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org /// --~--~---------~--~----~------------~-------~--~----~ You received this message from the "vim_dev" maillist. For more information, visit http://www.vim.org/maillist.php -~----------~----~----~----~------~----~------~--~---
