> I can reproduce the following error (access to freed memory)
> with Vim-7.2.315 (Motif GUI):
>
> ==31168== Invalid read of size 4
> ==31168== at 0x484BDE7: XtDisplay (in /usr/lib/libXt.so.6.0.0)
> ==31168== by 0x81EDAF9: gui_mch_init_font (gui_x11.c:1853)
> ==31168== by 0x81E0324: gui_init_font (gui.c:715)
> ==31168== by 0x815C376: did_set_string_option (option.c:6116)
> ==31168== by 0x8159DBC: do_set (option.c:4679)
> ==31168== by 0x80D12B7: ex_set (ex_docmd.c:10983)
> ==31168== by 0x80C49D3: do_one_cmd (ex_docmd.c:2627)
> ==31168== by 0x80C22AC: do_cmdline (ex_docmd.c:1096)
> ==31168== by 0x81463F2: nv_colon (normal.c:5224)
> ==31168== by 0x813FDEF: normal_cmd (normal.c:1188)
> ==31168== by 0x8103CE4: main_loop (main.c:1204)
> ==31168== by 0x81037DB: main (main.c:948)
> ==31168== Address 0x5a77e30 is 88 bytes inside a block of size 312 free'd
> ==31168== at 0x4024B56: free (vg_replace_malloc.c:325)
> ==31168== by 0x4835E90: XtFree (in /usr/lib/libXt.so.6.0.0)
> ==31168== by 0x48408ED: ??? (in /usr/lib/libXt.so.6.0.0)
> ==31168== by 0x4840213: ??? (in /usr/lib/libXt.so.6.0.0)
> ==31168== by 0x4840377: ??? (in /usr/lib/libXt.so.6.0.0)
> ==31168== by 0x484062A: _XtDoPhase2Destroy (in /usr/lib/libXt.so.6.0.0)
> ==31168== by 0x4840791: XtDestroyWidget (in /usr/lib/libXt.so.6.0.0)
> ==31168== by 0x81F55FB: gui_xm_select_font (gui_xmdlg.c:1277)
> ==31168== by 0x81EDAF9: gui_mch_init_font (gui_x11.c:1853)
> ==31168== by 0x81E0324: gui_init_font (gui.c:715)
> ==31168== by 0x815C376: did_set_string_option (option.c:6116)
> ==31168== by 0x8159DBC: do_set (option.c:4679)
> ==31168== by 0x80D12B7: ex_set (ex_docmd.c:10983)
> ==31168== by 0x80C49D-3: do_one_cmd (ex_docmd.c:2627)
> ==31168== by 0x80C22AC: do_cmdline (ex_docmd.c:1096)
> ==31168== by 0x81463F2: nv_colon (normal.c:5224)
> ==31168== by 0x813FDEF: normal_cmd (normal.c:1188)
> ==31168== by 0x8103CE4: main_loop (main.c:1204)
> ==31168== by 0x81037DB: main (main.c:948)
>
> Steps to reproduce:
>
> 1) Start Vim with Valgrind:
> $ cd vim7/src
> $ valgrind --num-callers=20 ./vim -f -g -u NONE -U NONE 2> vg.log
>
> 2) Type Ex command:
> :set guifont=*
>
> 3) A modal window pops up to select a font, click on the
> "Cancel" button.
>
> 4) Observe the above Valgrind error as soon as you click on
> "Cancel".
>
>
> src/gui_xmdlg.c:
>
> 1272 /* modal event loop */
> 1273 while (!data->exit)
> 1274 XtAppProcessEvent(XtWidgetToApplicationContext(data->dialog),
> 1275
> (XtInputMask)XtIMAll);
> 1276
> 1277 XtDestroyWidget(data->dialog);
> 1278
> 1279 if (data->old)
> 1280 {
> 1281 XFreeFont(XtDisplay(data->dialog), data->old);
> 1282 XmFontListFree(data->old_list);
> 1283 }
>
> data->dialog is destroyed at line gui_xmdlg.c:1277 but still
> used just below at line gui_xmdlg.c:1281.
>
> Attached patch fixes it.
>
> Stack trace reported by Valgrind is slightly incorrect
> by the way (not sure why) since XtDisplay() is called from:
>
> XtDisplay
> gui_xm_select_font (gui_xmdlg.c:1281)
> gui_mch_init_font (gui_x11.c:1853)
>
> and not from:
>
> XtDisplay()
> gui_mch_init_font() (gui_x11.c:1853)
Thanks for the patch!
--
Shift happens.
-- Doppler
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ download, build and distribute -- http://www.A-A-P.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
