[patch] fixed double free introduced by patch 7.2.203 when Vim is built with -DEXITFREE

Dominique Pellé Fri, 19 Jun 2009 23:14:41 -0700

Hi

I can reproduce a crash (double free) using latest Vim-7.2.209
when built with -DEXITFREE:


  *** glibc detected *** ./vim: corrupted double-linked list: 0x096dd8b8 ***
  ======= Backtrace: =========
  ...snip...
  Vim: Caught deadly signal ABRT0 08:04 2181505    /usr
  Vim: Finished.
  Vim: Double signal, exiting
  Segmentation fault (core dumped)

Steps to reproduce the bug:

1/ build Vim with -DEXITFREE
   i.e. uncomment PROFILE_CFLAGS = -DEXITFREE in src/Makefile

2/ start Vim with:

   $ vim -u NONE -C

3/ execute the following Ex commands:

   :set hidden
   :e foo.txt
   :e bar.txt
   :syntax on
   :q

5/ when exiting, notice the double free error:

   $ ./vim -u .vimrc-test
   *** glibc detected *** ./vim: corrupted double-linked list: 0x0947bf60 ***
   ...

Reproducing it with Valgrind memory checker, I see the following
error when exiting:
==16444== Invalid read of size 4
==16444==    at 0x8162363: redraw_win_later (screen.c:197)
==16444==    by 0x816235A: redraw_later (screen.c:189)
==16444==    by 0x81C4CF7: clear_matches (window.c:6520)
==16444==    by 0x81C1C98: win_free (window.c:4371)
==16444==    by 0x81BF4F3: win_free_mem (window.c:2368)
==16444==    by 0x81BF57F: win_free_all (window.c:2395)
==16444==    by 0x811437B: free_all_mem (misc2.c:1093)
==16444==    by 0x814B579: mch_exit (os_unix.c:3066)
==16444==    by 0x80E6E44: getout (main.c:1347)
==16444==    by 0x80ACA7F: ex_quit_all (ex_docmd.c:6338)
==16444==    by 0x80A6B1B: do_one_cmd (ex_docmd.c:2620)
==16444==    by 0x80A439B: do_cmdline (ex_docmd.c:1096)
==16444==    by 0x812A67A: nv_colon (normal.c:5224)
==16444==    by 0x8123D00: normal_cmd (normal.c:1188)
==16444==    by 0x80E6B81: main_loop (main.c:1186)
==16444==    by 0x80E66CE: main (main.c:942)
==16444==  Address 0x4c690bc is 212 bytes inside a block of size 3,676 free'd
==16444==    at 0x4024E5A: free (vg_replace_malloc.c:323)
==16444==    by 0x8114D38: vim_free (misc2.c:1639)
==16444==    by 0x81C1CF4: win_free (window.c:4391)
==16444==    by 0x81BF4F3: win_free_mem (window.c:2368)
==16444==    by 0x81BF550: win_free_all (window.c:2390)
==16444==    by 0x811437B: free_all_mem (misc2.c:1093)
==16444==    by 0x814B579: mch_exit (os_unix.c:3066)
==16444==    by 0x80E6E44: getout (main.c:1347)
==16444==    by 0x80ACA7F: ex_quit_all (ex_docmd.c:6338)
==16444==    by 0x80A6B1B: do_one_cmd (ex_docmd.c:2620)
==16444==    by 0x80A439B: do_cmdline (ex_docmd.c:1096)
==16444==    by 0x812A67A: nv_colon (normal.c:5224)
==16444==    by 0x8123D00: normal_cmd (normal.c:1188)
==16444==    by 0x80E6B81: main_loop (main.c:1186)
==16444==    by 0x80E66CE: main (main.c:942)
(and more errors follow)

window.c:
  2389     while (firstwin != NULL)
!!2390         (void)win_free_mem(firstwin, &dummy, NULL);
  2391
  2392 # ifdef FEAT_AUTOCMD
  2393     if (aucmd_win != NULL)
  2394     {
!!2395         (void)win_free_mem(aucmd_win, &dummy, NULL);
  2396         aucmd_win = NULL;
  2397     }

Memory freed at line 2390 is used and freed again at line 2395.

If I print curwin, firstwin, aucmd_win before line 2389, I see:

*** curwin=0x8e3c358 firstwin=0x8e3c358 aucmd_win=0x8e5c2d0

Line window.c:2395 was introduced in patch 7.2.203:

============================================================================
Patch 7.2.203
Problem:  When reloading a buffer or doing anything else with a buffer that
          is not displayed in a visible window, autocommands may be applied
          to the current window, folds messed up, etc.
Solution: Instead of using the current window for the hidden buffer use a
          special window, splitting the current one temporarily.
Files:    src/fileio.c, src/globals.h, src/gui.c, src/if_perl.xs,
          src/proto/gui.pro, src/proto/window.pro, src/screen.c,
          src/structs.h, src/window.c
============================================================================

I tried previous versions of Vim:

- Vim-7.2.202 ............. OK, no bug
- Vim-7.2.203 ............. could not test, tag v7-2-203 is missing in CVS?!?
- Vim-7.2.204 ............. double free crash
- Vim-7.2.209 (latest) .... double free crash

So bug was introduced in Vim-7.2.203.

Attached patch fixes it but deserves further testing and review.

Regards
-- Dominique

--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---

Index: window.c
===================================================================
RCS file: /cvsroot/vim/vim7/src/window.c,v
retrieving revision 1.78
diff -c -r1.78 window.c
*** window.c	16 Jun 2009 14:00:54 -0000	1.78
--- window.c	20 Jun 2009 06:00:08 -0000
***************
*** 2386,2394 ****
  	tabpage_close(TRUE);
  # endif
  
-     while (firstwin != NULL)
- 	(void)win_free_mem(firstwin, &dummy, NULL);
- 
  # ifdef FEAT_AUTOCMD
      if (aucmd_win != NULL)
      {
--- 2386,2391 ----
***************
*** 2396,2401 ****
--- 2393,2401 ----
  	aucmd_win = NULL;
      }
  # endif
+ 
+     while (firstwin != NULL)
+ 	(void)win_free_mem(firstwin, &dummy, NULL);
  }
  #endif

[patch] fixed double free introduced by patch 7.2.203 when Vim is built with -DEXITFREE

Raspunde prin e-mail lui