Dominique Pelle wrote:
> I can reproduce a crash once in a while with latest Vim-7.3.556
> when pressing return in insert mode in a C++ comment. I can
> reproduce it as follows:
>
> # Minimalistic ~/.vimrc to reproduce bug
> $ cat ~/.vimrc
> syntax on
> filetype on
> filetype plugin on
>
> # Then this command triggers the bug:
> $ rm -f /tmp/foo.cpp; vim /tmp/foo.cpp -c 'call feedkeys("i// foo\<CR>")'
>
> It does not crash all the time, but Valgrind memcheck always shows an error:
>
> ==16212== Invalid write of size 1
> ==16212== at 0x4E2BAD: vim_strncpy (misc2.c:1660)
> ==16212== by 0x4D1DB5: open_line (misc1.c:1065)
> ==16212== by 0x43172A: ins_eol (edit.c:9812)
> ==16212== by 0x423F00: edit (edit.c:1313)
> ==16212== by 0x50224E: invoke_edit (normal.c:9143)
> ==16212== by 0x5021E7: nv_edit (normal.c:9116)
> ==16212== by 0x4F4676: normal_cmd (normal.c:1193)
> ==16212== by 0x5D4CCB: main_loop (main.c:1294)
> ==16212== by 0x5D4692: main (main.c:998)
> ==16212== Address 0xc3f2043 is 0 bytes after a block of size 3 alloc'd
> ==16212== at 0x4C2815C: malloc (vg_replace_malloc.c:236)
> ==16212== by 0x4E1E97: lalloc (misc2.c:928)
> ==16212== by 0x4E1DA4: alloc (misc2.c:827)
> ==16212== by 0x4D1D65: open_line (misc1.c:1057)
> ==16212== by 0x43172A: ins_eol (edit.c:9812)
> ==16212== by 0x423F00: edit (edit.c:1313)
> ==16212== by 0x50224E: invoke_edit (normal.c:9143)
> ==16212== by 0x5021E7: nv_edit (normal.c:9116)
> ==16212== by 0x4F4676: normal_cmd (normal.c:1193)
> ==16212== by 0x5D4CCB: main_loop (main.c:1294)
> ==16212== by 0x5D4692: main (main.c:998)
> (and many more errors after that)
>
> Variable 'leader' is allocated at misc1.c:1057:
>
> 1056 /* allocate buffer (may concatenate p_exta later) */
> 1057 leader = alloc(lead_len + lead_repl_len + extra_space + extra_len
> 1058 + (second_line_indent > 0 ? second_line_indent : 0));
> 1059 allocated = leader; /* remember to free it later */
>
> 'hg annotate misc1.c' shows that the code where 'leader'
> is allocated was changed recently:
>
> $ hg annotate misc1.c
>
> 7: /* allocate buffer (may concatenate p_exta later) */
> 3584: leader = alloc(lead_len + lead_repl_len + extra_space + extra_len
> 3584: + (second_line_indent > 0 ? second_line_indent : 0));
> 7: allocated = leader; /* remember to free it later */
>
>
> $ hg -v log -r3584
> changeset: 3584:443c50cd3e88
> tag: v7-3-552
> user: Bram Moolenaar <[email protected]>
> date: Wed Jun 13 17:28:55 2012 +0200
> files: src/edit.c src/misc1.c src/ops.c src/testdir/test68.in
> src/testdir/test68.ok src/version.c src/vim.h
> description:
> updated for version 7.3.552
> Problem: Formatting inside comments does not use the "2" flag in
> 'formatoptions'.
> Solution: Support the "2" flag. (Tor Perkins)
>
>
> Attached patch fixes it by allocating an extra byte, which I assume is
> necessary for the end of string, but please verify it. I CC Tor
> Perkins for review since he
> changed this code recently in patch 7.3.552.
Thanks for the analysis and fix! I'll include it after Tor has
commented.
--
Just remember...if the world didn't suck, we'd all fall off.
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
