Hi I can reproduce a crash once in a while with latest Vim-7.3.556 when pressing return in insert mode in a C++ comment. I can reproduce it as follows:
# Minimalistic ~/.vimrc to reproduce bug
$ cat ~/.vimrc
syntax on
filetype on
filetype plugin on
# Then this command triggers the bug:
$ rm -f /tmp/foo.cpp; vim /tmp/foo.cpp -c 'call feedkeys("i// foo\<CR>")'
It does not crash all the time, but Valgrind memcheck always shows an error:
==16212== Invalid write of size 1
==16212== at 0x4E2BAD: vim_strncpy (misc2.c:1660)
==16212== by 0x4D1DB5: open_line (misc1.c:1065)
==16212== by 0x43172A: ins_eol (edit.c:9812)
==16212== by 0x423F00: edit (edit.c:1313)
==16212== by 0x50224E: invoke_edit (normal.c:9143)
==16212== by 0x5021E7: nv_edit (normal.c:9116)
==16212== by 0x4F4676: normal_cmd (normal.c:1193)
==16212== by 0x5D4CCB: main_loop (main.c:1294)
==16212== by 0x5D4692: main (main.c:998)
==16212== Address 0xc3f2043 is 0 bytes after a block of size 3 alloc'd
==16212== at 0x4C2815C: malloc (vg_replace_malloc.c:236)
==16212== by 0x4E1E97: lalloc (misc2.c:928)
==16212== by 0x4E1DA4: alloc (misc2.c:827)
==16212== by 0x4D1D65: open_line (misc1.c:1057)
==16212== by 0x43172A: ins_eol (edit.c:9812)
==16212== by 0x423F00: edit (edit.c:1313)
==16212== by 0x50224E: invoke_edit (normal.c:9143)
==16212== by 0x5021E7: nv_edit (normal.c:9116)
==16212== by 0x4F4676: normal_cmd (normal.c:1193)
==16212== by 0x5D4CCB: main_loop (main.c:1294)
==16212== by 0x5D4692: main (main.c:998)
(and many more errors after that)
Variable 'leader' is allocated at misc1.c:1057:
1056 /* allocate buffer (may concatenate p_exta later) */
1057 leader = alloc(lead_len + lead_repl_len + extra_space + extra_len
1058 + (second_line_indent > 0 ? second_line_indent : 0));
1059 allocated = leader; /* remember to free it later */
'hg annotate misc1.c' shows that the code where 'leader'
is allocated was changed recently:
$ hg annotate misc1.c
7: /* allocate buffer (may concatenate p_exta later) */
3584: leader = alloc(lead_len + lead_repl_len + extra_space + extra_len
3584: + (second_line_indent > 0 ? second_line_indent : 0));
7: allocated = leader; /* remember to free it later */
$ hg -v log -r3584
changeset: 3584:443c50cd3e88
tag: v7-3-552
user: Bram Moolenaar <b...@vim.org>
date: Wed Jun 13 17:28:55 2012 +0200
files: src/edit.c src/misc1.c src/ops.c src/testdir/test68.in
src/testdir/test68.ok src/version.c src/vim.h
description:
updated for version 7.3.552
Problem: Formatting inside comments does not use the "2" flag in
'formatoptions'.
Solution: Support the "2" flag. (Tor Perkins)
Attached patch fixes it by allocating an extra byte, which I assume is necessary
for the end of string, but please verify it. I CC Tor Perkins for
review since he
changed this code recently in patch 7.3.552.
Regards
-- Dominique
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
fix-crash-misc1.c-7.3.556.patch
Description: Binary data
