Dominique Pelle wrote:
> Valgrind memory checker detects use of freed memory in Vim-7.1.285
> when using 'set autochdir' and when Vim is compiled with -DEXITFREE.
>
> ==6925== Invalid read of size 4
> ==6925== at 0x8054471: do_autochdir (buffer.c:1472)
> ==6925== by 0x8052E31: close_buffer (buffer.c:445)
> ==6925== by 0x8113AE3: free_all_mem (misc2.c:1089)
> ==6925== by 0x814B244: mch_exit (os_unix.c:2951)
> ==6925== by 0x80E6320: getout (main.c:1342)
> ==6925== by 0x80AB880: ex_quit (ex_docmd.c:6227)
> ==6925== by 0x80A5952: do_one_cmd (ex_docmd.c:2623)
> ==6925== by 0x80A319E: do_cmdline (ex_docmd.c:1099)
> ==6925== by 0x80A2850: do_cmdline_cmd (ex_docmd.c:705)
> ==6925== by 0x80E80CC: exe_commands (main.c:2665)
> ==6925== by 0x80E5A9E: main (main.c:875)
> ==6925== Address 0x4AF8A9C is 76 bytes inside a block of size 4,516 free'd
> ==6925== at 0x402237F: free (vg_replace_malloc.c:233)
> ==6925== by 0x8114365: vim_free (misc2.c:1580)
> ==6925== by 0x8053182: free_buffer (buffer.c:616)
> ==6925== by 0x8052EAA: close_buffer (buffer.c:467)
> ==6925== by 0x8113AE3: free_all_mem (misc2.c:1089)
> ==6925== by 0x814B244: mch_exit (os_unix.c:2951)
> ==6925== by 0x80E6320: getout (main.c:1342)
> ==6925== by 0x80AB880: ex_quit (ex_docmd.c:6227)
> ==6925== by 0x80A5952: do_one_cmd (ex_docmd.c:2623)
> ==6925== by 0x80A319E: do_cmdline (ex_docmd.c:1099)
> ==6925== by 0x80A2850: do_cmdline_cmd (ex_docmd.c:705)
> ==6925== by 0x80E80CC: exe_commands (main.c:2665)
> (more errors follow)
>
> Steps to reproduce:
>
> 1/ Run Vim with Valgrind with 2 files:
>
> $ valgrind vim -u NONE -c 'set autochdir|q!' foo bar 2> valgrind.log
>
> 2/ Observe in valgrind.log errors when exiting vim
>
>
> Function free_all_mem() frees all buffers calling close_buffer(...)
> in a loop on all buffers:
>
> 1085 /* Free all buffers. */
> 1086 for (buf = firstbuf; buf != NULL; )
> 1087 {
> 1088 nextbuf = buf->b_next;
> 1089 close_buffer(NULL, buf, DOBUF_WIPE);
> 1090 if (buf_valid(buf))
> 1091 buf = nextbuf; /* didn't work, try next one */
> 1092 else
> 1093 buf = firstbuf;
> 1094 }
>
> Inside close_buffer(), DO_AUTOCHDIR uses both buf (before it's being freed)
> and curbuf. The problem is that curbuf may have been already freed in a
> previous iteration. So DO_AUTOCHDIR uses freed memory when accessing
> curbuf.
>
> I attach a patch that fixes it by checking whether curbuf is still valid
> before calling DO_AUTOCHDIR. Another way of fixing it in misc2.c
> could be to free all buffers (except curbuf) and then free curbuf last.
How about solving this by resetting 'autochdir' first? This also avoids
doing things that don't make sense.
*** ../vim-7.1.285/src/misc2.c Wed Feb 20 12:22:59 2008
--- src/misc2.c Wed Mar 26 21:02:57 2008
***************
*** 1082,1088 ****
win_free_all();
#endif
! /* Free all buffers. */
for (buf = firstbuf; buf != NULL; )
{
nextbuf = buf->b_next;
--- 1083,1093 ----
win_free_all();
#endif
! /* Free all buffers. Reset 'autochdir' to avoid accessing things that
! * were freed already. */
! #ifdef FEAT_AUTOCHDIR
! p_acd = FALSE;
! #endif
for (buf = firstbuf; buf != NULL; )
{
nextbuf = buf->b_next;
--
hundred-and-one symptoms of being an internet addict:
169. You hire a housekeeper for your home page.
/// Bram Moolenaar -- [EMAIL PROTECTED] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ download, build and distribute -- http://www.A-A-P.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---
