Dominique wrote:
> Hi
>
> Using Vim-7.4.368 (huge) built with -DEXITFREE,
> I see access to freed memory when doing:
>
> $ valgrind vim -u NONE -C /tmp/xx \
> -c ':sign define piet text=>> texthl=Search' \
> -c ':exe ":sign place 2 line=23 name=piet file=" . expand("%:p")' \
> -c 'qa'
>
> ==6787== Memcheck, a memory error detector
> ==6787== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
> ==6787== Using Valgrind-3.9.0.SVN and LibVEX; rerun with -h for copyright info
> ==6787== Command: vim -u NONE -C /tmp/xx -c :sign\ define\ piet\
> text=\>\>\ texthl=Search -c :exe\ ":sign\ place\ 2\ line=23\
> name=piet\ file="\ .\ expand("%:p") -c qa
> ==6787==
> ==6787== Invalid read of size 4
> ==6787== at 0x529B3C: changed_cline_bef_curs (move.c:557)
> ==6787== by 0x41A783: buf_delete_signs (buffer.c:5709)
> ==6787== by 0x40F986: free_buffer_stuff (buffer.c:719)
> ==6787== by 0x40F889: free_buffer (buffer.c:659)
> ==6787== by 0x40ED1E: close_buffer (buffer.c:515)
> ==6787== by 0x51F54A: free_all_mem (misc2.c:1172)
> ==6787== by 0x5723D3: mch_exit (os_unix.c:3346)
> ==6787== by 0x672952: getout (main.c:1501)
> ==6787== by 0x498C2E: ex_quit_all (ex_docmd.c:6648)
> ==6787== by 0x48D35A: do_one_cmd (ex_docmd.c:2701)
> ==6787== by 0x4893DC: do_cmdline (ex_docmd.c:1126)
> ==6787== by 0x48A299: do_cmdline_cmd (ex_docmd.c:731)
> ==6787== Address 0xcc1cd9c is 172 bytes inside a block of size 5,584 free'd
> ==6787== at 0x4C2B577: free (vg_replace_malloc.c:468)
> ==6787== by 0x51F673: vim_free (misc2.c:1740)
> ==6787== by 0x63E4EF: win_free (window.c:4625)
> ==6787== by 0x64182D: win_free_mem (window.c:2461)
> ==6787== by 0x641FDA: win_free_all (window.c:2491)
> ==6787== by 0x51F4FC: free_all_mem (misc2.c:1161)
> ==6787== by 0x5723D3: mch_exit (os_unix.c:3346)
> ==6787== by 0x672952: getout (main.c:1501)
> ==6787== by 0x498C2E: ex_quit_all (ex_docmd.c:6648)
> ==6787== by 0x48D35A: do_one_cmd (ex_docmd.c:2701)
> ==6787== by 0x4893DC: do_cmdline (ex_docmd.c:1126)
> ==6787== by 0x48A299: do_cmdline_cmd (ex_docmd.c:731)
> ==6787==
> ==6787== Invalid write of size 4
> ==6787== at 0x529B48: changed_cline_bef_curs (move.c:557)
> ==6787== by 0x41A783: buf_delete_signs (buffer.c:5709)
> ==6787== by 0x40F986: free_buffer_stuff (buffer.c:719)
> ==6787== by 0x40F889: free_buffer (buffer.c:659)
> ==6787== by 0x40ED1E: close_buffer (buffer.c:515)
> ==6787== by 0x51F54A: free_all_mem (misc2.c:1172)
> ==6787== by 0x5723D3: mch_exit (os_unix.c:3346)
> ==6787== by 0x672952: getout (main.c:1501)
> ==6787== by 0x498C2E: ex_quit_all (ex_docmd.c:6648)
> ==6787== by 0x48D35A: do_one_cmd (ex_docmd.c:2701)
> ==6787== by 0x4893DC: do_cmdline (ex_docmd.c:1126)
> ==6787== by 0x48A299: do_cmdline_cmd (ex_docmd.c:731)
> ==6787== Address 0xcc1cd9c is 172 bytes inside a block of size 5,584 free'd
> ==6787== at 0x4C2B577: free (vg_replace_malloc.c:468)
> ==6787== by 0x51F673: vim_free (misc2.c:1740)
> ==6787== by 0x63E4EF: win_free (window.c:4625)
> ==6787== by 0x64182D: win_free_mem (window.c:2461)
> ==6787== by 0x641FDA: win_free_all (window.c:2491)
> ==6787== by 0x51F4FC: free_all_mem (misc2.c:1161)
> ==6787== by 0x5723D3: mch_exit (os_unix.c:3346)
> ==6787== by 0x672952: getout (main.c:1501)
> ==6787== by 0x498C2E: ex_quit_all (ex_docmd.c:6648)
> ==6787== by 0x48D35A: do_one_cmd (ex_docmd.c:2701)
> ==6787== by 0x4893DC: do_cmdline (ex_docmd.c:1126)
> ==6787== by 0x48A299: do_cmdline_cmd (ex_docmd.c:731)
> ==6787==
>
>
> The bug was introduced by this patch:
>
> ===
> changeset: 5869:373204662d82
> tag: v7-4-277
> user: Bram Moolenaar <[email protected]>
> date: Wed May 07 16:35:08 2014 +0200
> files: src/buffer.c src/version.c
> description:
> updated for version 7.4.277
> Problem: Using ":sign unplace *" may leave the cursor in the wrong
> position
> (Christian Brabandt)
> Solution: Update the cursor position when removing all signs.
> ===
>
> Attached patch fixes it but please review it
> as I am not sure that it is the best way to fix it.
Cleaning up is tricky... I think it's better to check for curwin to be
NULL when deleting things, not in changed_cline_bef_curs(), since it's
used very often. And the check would also need to be added to similar
windows once we find out they may be called while exiting.
--
SIGIRO -- irony detected (iron core dumped)
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
