[patch] fixed access to freed memory with -DEXITFREE (introduced by patch-7.2.31)

Dominique Pelle Sun, 09 Nov 2008 13:08:14 -0800

Hi

Using valgrind, I observe the following error with Vim-7.2.32 when
exiting Vim.  It happens only when Vim is compiled with -DEXITFREE
so it's a minor bug, since Vim is normally not compiled with -DEXITFREE.


Doing "vim -u NONE -c q" is enough to trigger it.

It did not happen with Vim-7.2.30. So it's introduced
by Vim-7.2.{31,32}.

==30738== Invalid read of size 4
==30738==    at 0x806E81A: set_ref_in_ht (eval.c:6592)
==30738==    by 0x807D751: garbage_collect (eval.c:6536)
==30738==    by 0x808A4A4: eval_clear (eval.c:874)
==30738==    by 0x81006FD: free_all_mem (misc2.c:1131)
==30738==    by 0x813174F: mch_exit (os_unix.c:3057)
==30738==    by 0x809E690: ex_quit (ex_docmd.c:6228)
==30738==    by 0x80A63CB: do_one_cmd (ex_docmd.c:2622)
==30738==    by 0x80A77BE: do_cmdline (ex_docmd.c:1096)
==30738==    by 0x811423E: nv_colon (normal.c:5217)
==30738==    by 0x8116C53: normal_cmd (normal.c:1184)
==30738==    by 0x80DA03F: main_loop (main.c:1180)
==30738==    by 0x80DD637: main (main.c:939)
==30738==  Address 0x4c18ae4 is 4 bytes inside a block of size 2,048 free'd
==30738==    at 0x402268C: free (vg_replace_malloc.c:323)
==30738==    by 0x808A42C: eval_clear (eval.c:858)
==30738==    by 0x81006FD: free_all_mem (misc2.c:1131)
==30738==    by 0x813174F: mch_exit (os_unix.c:3057)
==30738==    by 0x809E690: ex_quit (ex_docmd.c:6228)
==30738==    by 0x80A63CB: do_one_cmd (ex_docmd.c:2622)
==30738==    by 0x80A77BE: do_cmdline (ex_docmd.c:1096)
==30738==    by 0x811423E: nv_colon (normal.c:5217)
==30738==    by 0x8116C53: normal_cmd (normal.c:1184)
==30738==    by 0x80DA03F: main_loop (main.c:1180)
==30738==    by 0x80DD637: main (main.c:939)

Line eval.c:6536 where error happens is introduced by patch 7.2.31.

I attach a patch which fixes it, but please double check
that it's correct:  calling hash_init(&vimvarht) after
hash_clear(&vimvarht) is needed to prevent
garbage_collect() from using the freed hash later.

Groetjes
-- Dominique

--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---

Index: eval.c
===================================================================
RCS file: /cvsroot/vim/vim7/src/eval.c,v
retrieving revision 1.269
diff -c -r1.269 eval.c
*** eval.c	9 Nov 2008 16:22:01 -0000	1.269
--- eval.c	9 Nov 2008 20:56:39 -0000
***************
*** 856,861 ****
--- 856,862 ----
  	}
      }
      hash_clear(&vimvarht);
+     hash_init(&vimvarht);
      hash_clear(&compat_hashtab);
  
      /* script-local variables */

[patch] fixed access to freed memory with -DEXITFREE (introduced by patch-7.2.31)

Raspunde prin e-mail lui