[patch] fixed access to free memory when exiting Vim

Sat, 19 Nov 2011 11:28:53 -0800 

Hi

When building Vim-7.3.353 (huge) with -DEXITFREE, I see
that free memory is used when when quiting Vim:

==17154== Invalid read of size 4
==17154==    at 0x8059057: buf_freeall (buffer.c:570)
==17154==    by 0x8059A77: close_buffer (buffer.c:418)
==17154==    by 0x8108492: free_all_mem (misc2.c:1176)
==17154==    by 0x813E03C: mch_exit (os_unix.c:3138)
==17154==    by 0x80A6270: ex_quit (ex_docmd.c:6458)
==17154==    by 0x80AEB26: do_one_cmd (ex_docmd.c:2668)
==17154==    by 0x80AD047: do_cmdline (ex_docmd.c:1122)
==17154==    by 0x811EE0E: nv_colon (normal.c:5378)
==17154==    by 0x8120DF3: normal_cmd (normal.c:1193)
==17154==    by 0x81D0C16: main_loop (main.c:1263)
==17154==    by 0x81D405A: main (main.c:964)
==17154==  Address 0x4e08270 is 0 bytes inside a block of size 3,764 free'd
==17154==    at 0x4024E4A: free (vg_replace_malloc.c:366)
==17154==    by 0x81AF328: win_free (window.c:4456)
==17154==    by 0x81AF3DE: win_free_mem (window.c:2388)
==17154==    by 0x81AF468: win_free_all (window.c:2418)
==17154==    by 0x810845E: free_all_mem (misc2.c:1165)
==17154==    by 0x813E03C: mch_exit (os_unix.c:3138)
==17154==    by 0x80A6270: ex_quit (ex_docmd.c:6458)
==17154==    by 0x80AEB26: do_one_cmd (ex_docmd.c:2668)
==17154==    by 0x80AD047: do_cmdline (ex_docmd.c:1122)
==17154==    by 0x811EE0E: nv_colon (normal.c:5378)
==17154==    by 0x8120DF3: normal_cmd (normal.c:1193)
==17154==    by 0x81D0C16: main_loop (main.c:1263)
==17154==    by 0x81D405A: main (main.c:964)
(more errors after that)

It can be reproduced with:
  $ valgrind vim -u NONE -c q

Doing a bisection, I see that bug was introduced in Vim-7.3.306.

Attached patch fixes it.

Regards
-- Dominique

-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

diff -r 379a6398d462 src/buffer.c
--- a/src/buffer.c	Wed Oct 26 23:48:21 2011 +0200
+++ b/src/buffer.c	Sat Nov 19 20:21:25 2011 +0100
@@ -567,7 +567,7 @@
     diff_buf_delete(buf);	    /* Can't use 'diff' for unloaded buffer. */
 #endif
 #ifdef FEAT_SYN_HL
-    if (curwin->w_buffer == buf)
+    if (firstwin != NULL && curwin->w_buffer == buf)
 	reset_synblock(curwin);	    /* remove any ownsyntax */
 #endif

Raspunde prin e-mail lui