Dominique Pelle wrote:
> I can reproduce a crash (double free) using latest Vim-7.2.209
> when built with -DEXITFREE:
>
> *** glibc detected *** ./vim: corrupted double-linked list: 0x096dd8b8 ***
> ======= Backtrace: =========
> ...snip...
> Vim: Caught deadly signal ABRT0 08:04 2181505 /usr
> Vim: Finished.
> Vim: Double signal, exiting
> Segmentation fault (core dumped)
>
> Steps to reproduce the bug:
>
> 1/ build Vim with -DEXITFREE
> i.e. uncomment PROFILE_CFLAGS = -DEXITFREE in src/Makefile
>
> 2/ start Vim with:
>
> $ vim -u NONE -C
>
> 3/ execute the following Ex commands:
>
> :set hidden
> :e foo.txt
> :e bar.txt
> :syntax on
> :q
>
> 5/ when exiting, notice the double free error:
>
> $ ./vim -u .vimrc-test
> *** glibc detected *** ./vim: corrupted double-linked list: 0x0947bf60 ***
> ...
>
> Reproducing it with Valgrind memory checker, I see the following
> error when exiting:
> ==16444== Invalid read of size 4
> ==16444== at 0x8162363: redraw_win_later (screen.c:197)
> ==16444== by 0x816235A: redraw_later (screen.c:189)
> ==16444== by 0x81C4CF7: clear_matches (window.c:6520)
> ==16444== by 0x81C1C98: win_free (window.c:4371)
> ==16444== by 0x81BF4F3: win_free_mem (window.c:2368)
> ==16444== by 0x81BF57F: win_free_all (window.c:2395)
> ==16444== by 0x811437B: free_all_mem (misc2.c:1093)
> ==16444== by 0x814B579: mch_exit (os_unix.c:3066)
> ==16444== by 0x80E6E44: getout (main.c:1347)
> ==16444== by 0x80ACA7F: ex_quit_all (ex_docmd.c:6338)
> ==16444== by 0x80A6B1B: do_one_cmd (ex_docmd.c:2620)
> ==16444== by 0x80A439B: do_cmdline (ex_docmd.c:1096)
> ==16444== by 0x812A67A: nv_colon (normal.c:5224)
> ==16444== by 0x8123D00: normal_cmd (normal.c:1188)
> ==16444== by 0x80E6B81: main_loop (main.c:1186)
> ==16444== by 0x80E66CE: main (main.c:942)
> ==16444== Address 0x4c690bc is 212 bytes inside a block of size 3,676 free'd
> ==16444== at 0x4024E5A: free (vg_replace_malloc.c:323)
> ==16444== by 0x8114D38: vim_free (misc2.c:1639)
> ==16444== by 0x81C1CF4: win_free (window.c:4391)
> ==16444== by 0x81BF4F3: win_free_mem (window.c:2368)
> ==16444== by 0x81BF550: win_free_all (window.c:2390)
> ==16444== by 0x811437B: free_all_mem (misc2.c:1093)
> ==16444== by 0x814B579: mch_exit (os_unix.c:3066)
> ==16444== by 0x80E6E44: getout (main.c:1347)
> ==16444== by 0x80ACA7F: ex_quit_all (ex_docmd.c:6338)
> ==16444== by 0x80A6B1B: do_one_cmd (ex_docmd.c:2620)
> ==16444== by 0x80A439B: do_cmdline (ex_docmd.c:1096)
> ==16444== by 0x812A67A: nv_colon (normal.c:5224)
> ==16444== by 0x8123D00: normal_cmd (normal.c:1188)
> ==16444== by 0x80E6B81: main_loop (main.c:1186)
> ==16444== by 0x80E66CE: main (main.c:942)
> (and more errors follow)
>
> window.c:
> 2389 while (firstwin != NULL)
> !!2390 (void)win_free_mem(firstwin, &dummy, NULL);
> 2391
> 2392 # ifdef FEAT_AUTOCMD
> 2393 if (aucmd_win != NULL)
> 2394 {
> !!2395 (void)win_free_mem(aucmd_win, &dummy, NULL);
> 2396 aucmd_win = NULL;
> 2397 }
>
> Memory freed at line 2390 is used and freed again at line 2395.
>
> If I print curwin, firstwin, aucmd_win before line 2389, I see:
>
> *** curwin=0x8e3c358 firstwin=0x8e3c358 aucmd_win=0x8e5c2d0
>
> Line window.c:2395 was introduced in patch 7.2.203:
>
> ============================================================================
> Patch 7.2.203
> Problem: When reloading a buffer or doing anything else with a buffer that
> is not displayed in a visible window, autocommands may be applied
> to the current window, folds messed up, etc.
> Solution: Instead of using the current window for the hidden buffer use a
> special window, splitting the current one temporarily.
> Files: src/fileio.c, src/globals.h, src/gui.c, src/if_perl.xs,
> src/proto/gui.pro, src/proto/window.pro, src/screen.c,
> src/structs.h, src/window.c
> ============================================================================
>
> I tried previous versions of Vim:
>
> - Vim-7.2.202 ............. OK, no bug
> - Vim-7.2.203 ............. could not test, tag v7-2-203 is missing in CVS?!?
> - Vim-7.2.204 ............. double free crash
> - Vim-7.2.209 (latest) .... double free crash
>
> So bug was introduced in Vim-7.2.203.
>
> Attached patch fixes it but deserves further testing and review.
Thanks for the explanation and patch. I'm not 100% sure if this is the
best way to fix it. It's a bit tricky to do anything when windows are
being freed.
--
If you put 7 of the most talented OSS developers in a room for a week
and asked them to fix a bug in a spreadsheet program, in 1 week
you'd have 2 new mail readers and a text-based web browser.
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ download, build and distribute -- http://www.A-A-P.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---
