Hi.
I can reproduce the following error with valgrind memory
checker using Vim-7.2.75 (huge) on Linux x86 with utf-8 locale:
==15276== Invalid read of size 1
==15276== at 0x4026438: strlen (mc_replace_strmem.c:242)
==15276== by 0x8107E39: ins_bytes (misc1.c:1860)
==15276== by 0x8067EC0: ins_compl_new_leader (edit.c:3212)
==15276== by 0x8068048: ins_compl_addleader (edit.c:3297)
==15276== by 0x80641AA: edit (edit.c:765)
==15276== by 0x812F248: invoke_edit (normal.c:8901)
==15276== by 0x812F1EE: nv_edit (normal.c:8874)
==15276== by 0x8122A3C: normal_cmd (normal.c:1200)
==15276== by 0x80E5C9D: main_loop (main.c:1180)
==15276== by 0x80E57EA: main (main.c:939)
==15276== Address 0x4e671af is 1 bytes before a block of size 3 alloc'd
==15276== at 0x4025D2E: malloc (vg_replace_malloc.c:207)
==15276== by 0x811303C: lalloc (misc2.c:859)
==15276== by 0x8112F58: alloc (misc2.c:758)
==15276== by 0x81133EF: vim_strnsave (misc2.c:1176)
==15276== by 0x8068035: ins_compl_addleader (edit.c:3294)
==15276== by 0x80641AA: edit (edit.c:765)
==15276== by 0x812F248: invoke_edit (normal.c:8901)
==15276== by 0x812F1EE: nv_edit (normal.c:8874)
==15276== by 0x8122A3C: normal_cmd (normal.c:1200)
==15276== by 0x80E5C9D: main_loop (main.c:1180)
==15276== by 0x80E57EA: main (main.c:939)
Steps to reproduce:
1/ Create a sample tag file (using Vim source files for example):
$ cd vim7/src
$ ctags *.c *.h
2/ Create a minimalistic vimrc file enough to trigger bug:
set completeopt=menuone,longest
set tags=tags
set keymap=arabic
I tried several keymaps (not all of them), but I can somehow only
reproduce this bug using 'set keymap=arabic' or 'set keymap=persian'.
3/ Start Vim with valgrind:
$ valgrind vim -u test.vimrc 2> valgrind.log
4/ Type the following commands in Normal mode (completion using pum & tags):
i-<ctrl-n>X
5/ Observe the above valgrind error in valgrind.log right after
pressing X in step 4/
edit.c, around line 3212:
3207 static void
3208 ins_compl_new_leader()
3209 {
3210 ins_compl_del_pum();
3211 ins_compl_delete();
! 3212 ins_bytes(compl_leader + curwin->w_cursor.col - compl_col);
3213 compl_used_match = FALSE;
When bug happens, I see that curwin->w_cursor.col is 0, and compl_col
is 1, so argument of ins_bytes() at line 3212 is 1 byte before beginning
of string compl_leader (hence the error). Without keymap, or with
other keymaps than arabic or persian, curwin->w_cursor.col is 1 and
compl_col is also 1 (so bug then does not happen).
I'm not sure what's the right way to fix it: obviously we can do
a check for curwin->w_cursor.col being greater or equal than compl_col
as in attached patch. Although it pacifies valgrind, I may only work
around the bug. I was testing Vim with keymaps and I don't know how
arabic and persian keymaps are supposed to behave to tell whether the
behavior is correct (but the valgrind error is clearly not expected).
Regards
-- Dominique
--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---
Index: edit.c
===================================================================
RCS file: /cvsroot/vim/vim7/src/edit.c,v
retrieving revision 1.141
diff -c -r1.141 edit.c
*** edit.c 6 Aug 2008 16:56:55 -0000 1.141
--- edit.c 25 Dec 2008 17:01:09 -0000
***************
*** 3209,3215 ****
{
ins_compl_del_pum();
ins_compl_delete();
! ins_bytes(compl_leader + curwin->w_cursor.col - compl_col);
compl_used_match = FALSE;
if (compl_started)
--- 3209,3217 ----
{
ins_compl_del_pum();
ins_compl_delete();
! ins_bytes(compl_leader
! + ((curwin->w_cursor.col > compl_col)
! ? (curwin->w_cursor.col - compl_col) : 0));
compl_used_match = FALSE;
if (compl_started)
