Yukihiro Nakadaira wrote: > Kana Natsuno wrote: >> On Mon, 12 Oct 2009 05:03:27 +0900, Bram Moolenaar <[email protected]> >> wrote: >>> Can you somehow simplify the way to reproduce this and send me the Vim >>> script for this? >> >> Sorry, I tried to simplify before reporting but failed. Because the >> problem I encountered seems to depend on the number/order of operations, >> and the problem doesn't occur even if I delete a key/value pair >> expression from dictionary literal which seems not to be related to >> executing scripts. >> >> Anyway, I'll try to simplify again. > > Perhaps your problem is ... > > In eval.c, all "s:" dictionary is stored in one array (ga_scripts). > When new script file is sourced, the array is re-allocated for new "s:" > dictionary. Then "s:" dictionary, previously assigned to other variable > (e.g. :let g:foo = s:), will become an invalid pointer. > > > Script to reproduce: (might not crash 100%) > > let script_vars = [] > for src in range(10) > call writefile(['call add(script_vars, s:)'], src) > source `=src` > " allocate memory to ensure crash. > call repeat(' ', 1000) > endfor > echo script_vars
Ah, well done. This small script is causing Vim to use freed memory indeed. This is what Valgrind memory checker reports with Vim-7.2.267 (haven't had time to try to debug yet): ==7032== at 0x8099A5D: echo_string (eval.c:7320) ==7032== by 0x8099C35: tv2string (eval.c:7391) ==7032== by 0x80987AA: list_join (eval.c:6464) ==7032== by 0x80986B8: list2string (eval.c:6425) ==7032== by 0x8099A1D: echo_string (eval.c:7309) ==7032== by 0x80AA7F1: ex_echo (eval.c:19438) ==7032== by 0x80C33CC: do_one_cmd (ex_docmd.c:2629) ==7032== by 0x80C0C74: do_cmdline (ex_docmd.c:1098) ==7032== by 0x80BF336: do_source (ex_cmds2.c:3116) ==7032== by 0x80BECA3: cmd_source (ex_cmds2.c:2737) ==7032== by 0x80BEBF7: ex_source (ex_cmds2.c:2710) ==7032== by 0x80C33CC: do_one_cmd (ex_docmd.c:2629) ==7032== by 0x80C0C74: do_cmdline (ex_docmd.c:1098) ==7032== by 0x81478CA: nv_colon (normal.c:5224) ==7032== by 0x8140F50: normal_cmd (normal.c:1188) ==7032== by 0x8103A59: main_loop (main.c:1186) ==7032== by 0x81035A6: main (main.c:942) ==7032== Address 0x55ff688 is 14,000 bytes inside a block of size 14,596 free'd ==7032== at 0x4024E5A: free (vg_replace_malloc.c:323) ==7032== by 0x8131FB2: vim_free (misc2.c:1639) ==7032== by 0x8132337: ga_grow (misc2.c:2003) ==7032== by 0x80A99BB: new_script_vars (eval.c:18884) ==7032== by 0x80BF314: do_source (ex_cmds2.c:3089) ==7032== by 0x80BECA3: cmd_source (ex_cmds2.c:2737) ==7032== by 0x80BEBF7: ex_source (ex_cmds2.c:2710) ==7032== by 0x80C33CC: do_one_cmd (ex_docmd.c:2629) ==7032== by 0x80C0C74: do_cmdline (ex_docmd.c:1098) ==7032== by 0x80BF336: do_source (ex_cmds2.c:3116) ==7032== by 0x80BECA3: cmd_source (ex_cmds2.c:2737) ==7032== by 0x80BEBF7: ex_source (ex_cmds2.c:2710) ==7032== by 0x80C33CC: do_one_cmd (ex_docmd.c:2629) ==7032== by 0x80C0C74: do_cmdline (ex_docmd.c:1098) ==7032== by 0x81478CA: nv_colon (normal.c:5224) ==7032== by 0x8140F50: normal_cmd (normal.c:1188) ==7032== by 0x8103A59: main_loop (main.c:1186) ==7032== by 0x81035A6: main (main.c:942) (and more errors follow) -- Dominique --~--~---------~--~----~------------~-------~--~----~ You received this message from the "vim_dev" maillist. For more information, visit http://www.vim.org/maillist.php -~----------~----~----~----~------~----~------~--~---
