Hi
I can reproduce the following error (access to freed memory)
with Vim-7.2.315 (Motif GUI):
==31168== Invalid read of size 4
==31168== at 0x484BDE7: XtDisplay (in /usr/lib/libXt.so.6.0.0)
==31168== by 0x81EDAF9: gui_mch_init_font (gui_x11.c:1853)
==31168== by 0x81E0324: gui_init_font (gui.c:715)
==31168== by 0x815C376: did_set_string_option (option.c:6116)
==31168== by 0x8159DBC: do_set (option.c:4679)
==31168== by 0x80D12B7: ex_set (ex_docmd.c:10983)
==31168== by 0x80C49D3: do_one_cmd (ex_docmd.c:2627)
==31168== by 0x80C22AC: do_cmdline (ex_docmd.c:1096)
==31168== by 0x81463F2: nv_colon (normal.c:5224)
==31168== by 0x813FDEF: normal_cmd (normal.c:1188)
==31168== by 0x8103CE4: main_loop (main.c:1204)
==31168== by 0x81037DB: main (main.c:948)
==31168== Address 0x5a77e30 is 88 bytes inside a block of size 312 free'd
==31168== at 0x4024B56: free (vg_replace_malloc.c:325)
==31168== by 0x4835E90: XtFree (in /usr/lib/libXt.so.6.0.0)
==31168== by 0x48408ED: ??? (in /usr/lib/libXt.so.6.0.0)
==31168== by 0x4840213: ??? (in /usr/lib/libXt.so.6.0.0)
==31168== by 0x4840377: ??? (in /usr/lib/libXt.so.6.0.0)
==31168== by 0x484062A: _XtDoPhase2Destroy (in /usr/lib/libXt.so.6.0.0)
==31168== by 0x4840791: XtDestroyWidget (in /usr/lib/libXt.so.6.0.0)
==31168== by 0x81F55FB: gui_xm_select_font (gui_xmdlg.c:1277)
==31168== by 0x81EDAF9: gui_mch_init_font (gui_x11.c:1853)
==31168== by 0x81E0324: gui_init_font (gui.c:715)
==31168== by 0x815C376: did_set_string_option (option.c:6116)
==31168== by 0x8159DBC: do_set (option.c:4679)
==31168== by 0x80D12B7: ex_set (ex_docmd.c:10983)
==31168== by 0x80C49D-3: do_one_cmd (ex_docmd.c:2627)
==31168== by 0x80C22AC: do_cmdline (ex_docmd.c:1096)
==31168== by 0x81463F2: nv_colon (normal.c:5224)
==31168== by 0x813FDEF: normal_cmd (normal.c:1188)
==31168== by 0x8103CE4: main_loop (main.c:1204)
==31168== by 0x81037DB: main (main.c:948)
Steps to reproduce:
1) Start Vim with Valgrind:
$ cd vim7/src
$ valgrind --num-callers=20 ./vim -f -g -u NONE -U NONE 2> vg.log
2) Type Ex command:
:set guifont=*
3) A modal window pops up to select a font, click on the
"Cancel" button.
4) Observe the above Valgrind error as soon as you click on
"Cancel".
src/gui_xmdlg.c:
1272 /* modal event loop */
1273 while (!data->exit)
1274 XtAppProcessEvent(XtWidgetToApplicationContext(data->dialog),
1275 (XtInputMask)XtIMAll);
1276
1277 XtDestroyWidget(data->dialog);
1278
1279 if (data->old)
1280 {
1281 XFreeFont(XtDisplay(data->dialog), data->old);
1282 XmFontListFree(data->old_list);
1283 }
data->dialog is destroyed at line gui_xmdlg.c:1277 but still
used just below at line gui_xmdlg.c:1281.
Attached patch fixes it.
Stack trace reported by Valgrind is slightly incorrect
by the way (not sure why) since XtDisplay() is called from:
XtDisplay
gui_xm_select_font (gui_xmdlg.c:1281)
gui_mch_init_font (gui_x11.c:1853)
and not from:
XtDisplay()
gui_mch_init_font() (gui_x11.c:1853)
Cheers
-- Dominique
--
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.phpIndex: gui_xmdlg.c
===================================================================
RCS file: /cvsroot/vim/vim7/src/gui_xmdlg.c,v
retrieving revision 1.8
diff -c -r1.8 gui_xmdlg.c
*** gui_xmdlg.c 3 Nov 2009 11:53:50 -0000 1.8
--- gui_xmdlg.c 6 Dec 2009 10:45:15 -0000
***************
*** 1274,1286 ****
XtAppProcessEvent(XtWidgetToApplicationContext(data->dialog),
(XtInputMask)XtIMAll);
- XtDestroyWidget(data->dialog);
-
if (data->old)
{
XFreeFont(XtDisplay(data->dialog), data->old);
XmFontListFree(data->old_list);
}
gui_motif_synch_fonts();
--- 1274,1285 ----
XtAppProcessEvent(XtWidgetToApplicationContext(data->dialog),
(XtInputMask)XtIMAll);
if (data->old)
{
XFreeFont(XtDisplay(data->dialog), data->old);
XmFontListFree(data->old_list);
}
+ XtDestroyWidget(data->dialog);
gui_motif_synch_fonts();
