ryo7000 skribis:
> Hi
>
> gVim crashes when operating as follows.
>
> gvim -u NONE -U NONE --noplugin --nofork -c "set guifont=Sans\ 10" -
> c vnew
>
> qa
> :tabnew
> :q
> q
> ...@a
>
> The cause of the crash is as follows.
>
> * tab_close_othertab
> * win_free_mem
> (A) vim_free(frp) <- Here, the memory area is freed.
> * win_free
> (B) gui_mch_destroy_scrollbar <- After this function is called,
> frame_minheight() is called from another context.
> (C) remove deleted tabpage from first_tabpage list.
>
> The value might be written in memory area (tp->fr_win) freed in (A)
> during the processing of (C) as (A), and frame_minheight() is called
> after the function of (B), and it becomes the violation of the memory
> by topfrp->fr_win->w_status_height and it crashes in that.
>
> Crash doesn't do easily according to the font, but it seems to be easy
> for crash to do comparatively in the Sans font.
> It hardly crashes by correcting it as follows.
>
> vim_free(frp);
> win_free(win, tp);
>
> to
>
> win_free(win, tp);
> vim_free(frp);
>
> Please fix this bug.
>
> Regards,
> ryo7000
Hi
I can reproduce the crash too, both with Vim-7.2.445 and
Vim-7.3a (2293:b9bc9c5df131) gui GTK2 (Linux x86).
When running with Valgrind, after a few minutes, I get the
following errors. The stack is deep and I had to modify
Valgrind to display the full stack:
==3615== Invalid read of size 4
==3615== at 0x81C7C9A: frame_minheight (window.c:3040)
==3615== by 0x81CBDB6: min_rows (window.c:6139)
==3615== by 0x81B6977: check_shellsize (term.c:3004)
==3615== by 0x81BA3B5: ui_get_shellsize (ui.c:307)
==3615== by 0x81B6AE0: set_shellsize (term.c:3099)
==3615== by 0x81B6A3D: shell_resized (term.c:3043)
==3615== by 0x81CDD89: gui_resize_shell (gui.c:1313)
==3615== by 0x81DC02C: form_configure_event (gui_gtk_x11.c:3590)
==3615== by 0x417A423: ??? (in /usr/lib/libgtk-x11-2.0.so.0.2000.1)
==3615== by 0x4746251: g_closure_invoke (in
/usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x475A99C: ??? (in /usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x475BC32: g_signal_emit_valist (in
/usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x475C255: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x42A7635: ??? (in /usr/lib/libgtk-x11-2.0.so.0.2000.1)
==3615== by 0x4173F3B: gtk_main_do_event (in
/usr/lib/libgtk-x11-2.0.so.0.2000.1)
==3615== by 0x81E12CB: gtk_form_send_configure (gui_gtk_f.c:820)
==3615== by 0x81E07F7: gtk_form_size_allocate (gui_gtk_f.c:458)
==3615== by 0x4753437: g_cclosure_marshal_VOID__BOXED (in
/usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x47448B8: ??? (in /usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x4746177: g_closure_invoke (in
/usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x475A239: ??? (in /usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x475BDB3: g_signal_emit_valist (in
/usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x475C255: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x42AC503: gtk_widget_size_allocate (in
/usr/lib/libgtk-x11-2.0.so.0.2000.1)
==3615== by 0x40B4FB5: ??? (in /usr/lib/libgtk-x11-2.0.so.0.2000.1)
==3615== by 0x4753437: g_cclosure_marshal_VOID__BOXED (in
/usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x47448B8: ??? (in /usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x4746177: g_closure_invoke (in
/usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x475A239: ??? (in /usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x475BDB3: g_signal_emit_valist (in
/usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x475C255: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x42AC503: gtk_widget_size_allocate (in
/usr/lib/libgtk-x11-2.0.so.0.2000.1)
==3615== by 0x42BF2ED: ??? (in /usr/lib/libgtk-x11-2.0.so.0.2000.1)
==3615== by 0x4753437: g_cclosure_marshal_VOID__BOXED (in
/usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x47448B8: ??? (in /usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x4746251: g_closure_invoke (in
/usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x475A239: ??? (in /usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x475BDB3: g_signal_emit_valist (in
/usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x475C255: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x42AC503: gtk_widget_size_allocate (in
/usr/lib/libgtk-x11-2.0.so.0.2000.1)
==3615== by 0x42BF767: ??? (in /usr/lib/libgtk-x11-2.0.so.0.2000.1)
==3615== by 0x4753DCB: g_cclosure_marshal_VOID__VOID (in
/usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x47448B8: ??? (in /usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x4746251: g_closure_invoke (in
/usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x475A5E5: ??? (in /usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x475BDB3: g_signal_emit_valist (in
/usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x475C255: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.2400.1)
==3615== by 0x40E9709: gtk_container_check_resize (in
/usr/lib/libgtk-x11-2.0.so.0.2000.1)
==3615== by 0x40E975F: ??? (in /usr/lib/libgtk-x11-2.0.so.0.2000.1)
==3615== by 0x4429357: ??? (in /usr/lib/libgdk-x11-2.0.so.0.2000.1)
==3615== by 0x47C8660: ??? (in /lib/libglib-2.0.so.0.2400.1)
==3615== by 0x47CA5E4: g_main_context_dispatch (in
/lib/libglib-2.0.so.0.2400.1)
==3615== by 0x47CE2D7: ??? (in /lib/libglib-2.0.so.0.2400.1)
==3615== by 0x47CE4B7: g_main_context_iteration (in
/lib/libglib-2.0.so.0.2400.1)
==3615== by 0x41741B2: gtk_main_iteration_do (in
/usr/lib/libgtk-x11-2.0.so.0.2000.1)
==3615== by 0x81DE9C9: gui_mch_update (gui_gtk_x11.c:5411)
==3615== by 0x81D448E: gui_mch_destroy_scrollbar (gui_gtk.c:774)
==3615== by 0x81C96D6: win_free (window.c:4405)
==3615== by 0x81C6EF3: win_free_mem (window.c:2368)
==3615== by 0x81C6E20: win_close_othertab (window.c:2328)
==3615== by 0x81C6A0E: win_close (window.c:2154)
==3615== by 0x80AD76C: ex_quit (ex_docmd.c:6347)
==3615== by 0x80A7A00: do_one_cmd (ex_docmd.c:2640)
==3615== by 0x80A52D9: do_cmdline (ex_docmd.c:1109)
==3615== by 0x812C680: nv_colon (normal.c:5234)
==3615== by 0x8125EE3: normal_cmd (normal.c:1188)
==3615== by 0x80E803C: main_loop (main.c:1252)
==3615== by 0x80E7A93: main (main.c:960)
==3615== Address 0x514b050 is 40 bytes inside a block of size 44 free'd
==3615== at 0x4024B8A: free (vg_replace_malloc.c:366)
==3615== by 0x8116F0A: vim_free (misc2.c:1702)
==3615== by 0x81C6EE1: win_free_mem (window.c:2367)
==3615== by 0x81C6E20: win_close_othertab (window.c:2328)
==3615== by 0x81C6A0E: win_close (window.c:2154)
==3615== by 0x80AD76C: ex_quit (ex_docmd.c:6347)
==3615== by 0x80A7A00: do_one_cmd (ex_docmd.c:2640)
==3615== by 0x80A52D9: do_cmdline (ex_docmd.c:1109)
==3615== by 0x812C680: nv_colon (normal.c:5234)
==3615== by 0x8125EE3: normal_cmd (normal.c:1188)
==3615== by 0x80E803C: main_loop (main.c:1252)
==3615== by 0x80E7A93: main (main.c:960)
(more errors afer that)
I came to the same conclusion as you: inverting the 2 lines
windows.c:2367 & window.c:2368 fixes it.
diff -r 2209060c340d src/window.c
--- a/src/window.c Sat Jul 10 17:51:46 2010 +0200
+++ b/src/window.c Sat Jul 10 22:27:30 2010 +0200
@@ -2364,8 +2364,8 @@
/* Remove the window and its frame from the tree of frames. */
frp = win->w_frame;
wp = winframe_remove(win, dirp, tp);
+ win_free(win, tp);
vim_free(frp);
- win_free(win, tp);
/* When deleting the current window of another tab page select a new
* current window. */
Regards
-- Dominique
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
