Status: New
Owner: ----
Labels: Type-Defect Priority-Medium
New issue 130 by [email protected]: vim is using freed memory when
pasting with the mouse
http://code.google.com/p/vim/issues/detail?id=130
vim is using freed memory when pasting with the mouse in some circumstances.
What steps will reproduce the problem?
1. Create a vimrc-bug.txt file (which I tried to keep as small
as possible) as follows:
$ cat > vimrc-bug.txt <<EOF
set nocompatible
set mouse=a
set laststatus=2
" Function used to display utf-8 sequence.
fun! ShowUtf8Sequence()
try
let p = getpos('.')
redir => utfseq
sil normal! g8
redir End
call setpos('.', p)
return substitute(matchstr(utfseq, '\x\+ .*\x'), '\<\x', '0x&', 'g')
catch
return '?'
endtry
endfunction
set statusline=%{ShowUtf8Sequence()}\ " utf-8 sequence
set statusline+=U+%04B\ " Unicode char under cursor
EOF
2. Create a file bug.txt containing 2 lines with parenthesis as follows:
$ cat > bug.txt <<EOF
(
)
EOF
3. Run vim with valgrind:
$ valgrind --num-callers=50 --log-file=valgrind.log vim -u vimrc-bug.txt
bug.txt
4. Press A in Vim to append at the end of the first line.
5. Copy some text with the mouse from another window,
and press the middle button to paste inside Vim.
6. Observe in valgrind.log the following errors as soon as the
text is pasted with the mouse:
==3572== Memcheck, a memory error detector
==3572== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==3572== Using Valgrind-3.9.0.SVN and LibVEX; rerun with -h for copyright
info
==3572== Command: /home/dope/sb/vim/src/vim -u /home/dope/vimrc-bug.txt
bug.txt
==3572== Parent PID: 3134
==3572==
==3572== Invalid read of size 1
==3572== at 0x415F28: build_stl_str_hl (buffer.c:3959)
==3572== by 0x55D2A4: win_redr_custom (screen.c:6595)
==3572== by 0x55CC97: redraw_custom_statusline (screen.c:6382)
==3572== by 0x55C73F: win_redr_status (screen.c:6244)
==3572== by 0x55BC8D: redraw_statuslines (screen.c:5860)
==3572== by 0x4325C3: ins_mouse (edit.c:9136)
==3572== by 0x425948: edit (edit.c:1147)
==3572== by 0x513E78: invoke_edit (normal.c:9224)
==3572== by 0x513E11: nv_edit (normal.c:9197)
==3572== by 0x505F1E: normal_cmd (normal.c:1199)
==3572== by 0x4BCA4E: main_loop (main.c:1322)
==3572== by 0x4BC397: main (main.c:1013)
==3572== Address 0xdb031a0 is 0 bytes inside a block of size 25 free'd
==3572== at 0x4C2B6F9: free (vg_replace_malloc.c:446)
==3572== by 0x4F3FA5: vim_free (misc2.c:1744)
==3572== by 0x4D1C54: ml_flush_line (memline.c:3481)
==3572== by 0x4CF974: ml_get_buf (memline.c:2455)
==3572== by 0x4E4740: plines_win_nofold (misc1.c:1947)
==3572== by 0x4E46EB: plines_win_nofill (misc1.c:1928)
==3572== by 0x4E4635: plines_win (misc1.c:1894)
==3572== by 0x4F9DB1: comp_botline (move.c:95)
==3572== by 0x4FA930: validate_botline (move.c:573)
==3572== by 0x4FA1B9: update_topline (move.c:276)
==3572== by 0x47DD86: update_topline_cursor (ex_docmd.c:9309)
==3572== by 0x47E2EF: exec_normal_cmd (ex_docmd.c:9538)
==3572== by 0x47E103: ex_normal (ex_docmd.c:9438)
==3572== by 0x472AAD: do_one_cmd (ex_docmd.c:2684)
==3572== by 0x470028: do_cmdline (ex_docmd.c:1122)
==3572== by 0x4587CC: call_user_func (eval.c:22679)
==3572== by 0x440437: call_func (eval.c:8506)
==3572== by 0x43FFC2: get_func_tv (eval.c:8348)
==3572== by 0x43B814: eval7 (eval.c:5164)
==3572== by 0x43B0AD: eval6 (eval.c:4816)
==3572== by 0x43AC1C: eval5 (eval.c:4632)
==3572== by 0x43A01B: eval4 (eval.c:4325)
==3572== by 0x439E68: eval3 (eval.c:4237)
==3572== by 0x439CE7: eval2 (eval.c:4166)
==3572== by 0x439B26: eval1 (eval.c:4091)
==3572== by 0x439A85: eval0 (eval.c:4048)
==3572== by 0x434AC6: eval_to_string (eval.c:1361)
==3572== by 0x434C37: eval_to_string_safe (eval.c:1409)
==3572== by 0x415B11: build_stl_str_hl (buffer.c:3859)
==3572== by 0x55D2A4: win_redr_custom (screen.c:6595)
==3572== by 0x55CC97: redraw_custom_statusline (screen.c:6382)
==3572== by 0x55C73F: win_redr_status (screen.c:6244)
==3572== by 0x55BC8D: redraw_statuslines (screen.c:5860)
==3572== by 0x4325C3: ins_mouse (edit.c:9136)
==3572== by 0x425948: edit (edit.c:1147)
==3572== by 0x513E78: invoke_edit (normal.c:9224)
==3572== by 0x513E11: nv_edit (normal.c:9197)
==3572== by 0x505F1E: normal_cmd (normal.c:1199)
==3572== by 0x4BCA4E: main_loop (main.c:1322)
==3572== by 0x4BC397: main (main.c:1013)
==3572==
==3572== Invalid read of size 1
==3572== at 0x50001D: utf_ptr2char (mbyte.c:1697)
==3572== by 0x415F63: build_stl_str_hl (buffer.c:3964)
==3572== by 0x55D2A4: win_redr_custom (screen.c:6595)
==3572== by 0x55CC97: redraw_custom_statusline (screen.c:6382)
==3572== by 0x55C73F: win_redr_status (screen.c:6244)
==3572== by 0x55BC8D: redraw_statuslines (screen.c:5860)
==3572== by 0x4325C3: ins_mouse (edit.c:9136)
==3572== by 0x425948: edit (edit.c:1147)
==3572== by 0x513E78: invoke_edit (normal.c:9224)
==3572== by 0x513E11: nv_edit (normal.c:9197)
==3572== by 0x505F1E: normal_cmd (normal.c:1199)
==3572== by 0x4BCA4E: main_loop (main.c:1322)
==3572== by 0x4BC397: main (main.c:1013)
==3572== Address 0xdb031b8 is 24 bytes inside a block of size 25 free'd
==3572== at 0x4C2B6F9: free (vg_replace_malloc.c:446)
==3572== by 0x4F3FA5: vim_free (misc2.c:1744)
==3572== by 0x4D1C54: ml_flush_line (memline.c:3481)
==3572== by 0x4CF974: ml_get_buf (memline.c:2455)
==3572== by 0x4E4740: plines_win_nofold (misc1.c:1947)
==3572== by 0x4E46EB: plines_win_nofill (misc1.c:1928)
==3572== by 0x4E4635: plines_win (misc1.c:1894)
==3572== by 0x4F9DB1: comp_botline (move.c:95)
==3572== by 0x4FA930: validate_botline (move.c:573)
==3572== by 0x4FA1B9: update_topline (move.c:276)
==3572== by 0x47DD86: update_topline_cursor (ex_docmd.c:9309)
==3572== by 0x47E2EF: exec_normal_cmd (ex_docmd.c:9538)
==3572== by 0x47E103: ex_normal (ex_docmd.c:9438)
==3572== by 0x472AAD: do_one_cmd (ex_docmd.c:2684)
==3572== by 0x470028: do_cmdline (ex_docmd.c:1122)
==3572== by 0x4587CC: call_user_func (eval.c:22679)
==3572== by 0x440437: call_func (eval.c:8506)
==3572== by 0x43FFC2: get_func_tv (eval.c:8348)
==3572== by 0x43B814: eval7 (eval.c:5164)
==3572== by 0x43B0AD: eval6 (eval.c:4816)
==3572== by 0x43AC1C: eval5 (eval.c:4632)
==3572== by 0x43A01B: eval4 (eval.c:4325)
==3572== by 0x439E68: eval3 (eval.c:4237)
==3572== by 0x439CE7: eval2 (eval.c:4166)
==3572== by 0x439B26: eval1 (eval.c:4091)
==3572== by 0x439A85: eval0 (eval.c:4048)
==3572== by 0x434AC6: eval_to_string (eval.c:1361)
==3572== by 0x434C37: eval_to_string_safe (eval.c:1409)
==3572== by 0x415B11: build_stl_str_hl (buffer.c:3859)
==3572== by 0x55D2A4: win_redr_custom (screen.c:6595)
==3572== by 0x55CC97: redraw_custom_statusline (screen.c:6382)
==3572== by 0x55C73F: win_redr_status (screen.c:6244)
==3572== by 0x55BC8D: redraw_statuslines (screen.c:5860)
==3572== by 0x4325C3: ins_mouse (edit.c:9136)
==3572== by 0x425948: edit (edit.c:1147)
==3572== by 0x513E78: invoke_edit (normal.c:9224)
==3572== by 0x513E11: nv_edit (normal.c:9197)
==3572== by 0x505F1E: normal_cmd (normal.c:1199)
==3572== by 0x4BCA4E: main_loop (main.c:1322)
==3572== by 0x4BC397: main (main.c:1013)
==3572==
==3572== Invalid read of size 1
==3572== at 0x500028: utf_ptr2char (mbyte.c:1698)
==3572== by 0x415F63: build_stl_str_hl (buffer.c:3964)
==3572== by 0x55D2A4: win_redr_custom (screen.c:6595)
==3572== by 0x55CC97: redraw_custom_statusline (screen.c:6382)
==3572== by 0x55C73F: win_redr_status (screen.c:6244)
==3572== by 0x55BC8D: redraw_statuslines (screen.c:5860)
==3572== by 0x4325C3: ins_mouse (edit.c:9136)
==3572== by 0x425948: edit (edit.c:1147)
==3572== by 0x513E78: invoke_edit (normal.c:9224)
==3572== by 0x513E11: nv_edit (normal.c:9197)
==3572== by 0x505F1E: normal_cmd (normal.c:1199)
==3572== by 0x4BCA4E: main_loop (main.c:1322)
==3572== by 0x4BC397: main (main.c:1013)
==3572== Address 0xdb031b8 is 24 bytes inside a block of size 25 free'd
==3572== at 0x4C2B6F9: free (vg_replace_malloc.c:446)
==3572== by 0x4F3FA5: vim_free (misc2.c:1744)
==3572== by 0x4D1C54: ml_flush_line (memline.c:3481)
==3572== by 0x4CF974: ml_get_buf (memline.c:2455)
==3572== by 0x4E4740: plines_win_nofold (misc1.c:1947)
==3572== by 0x4E46EB: plines_win_nofill (misc1.c:1928)
==3572== by 0x4E4635: plines_win (misc1.c:1894)
==3572== by 0x4F9DB1: comp_botline (move.c:95)
==3572== by 0x4FA930: validate_botline (move.c:573)
==3572== by 0x4FA1B9: update_topline (move.c:276)
==3572== by 0x47DD86: update_topline_cursor (ex_docmd.c:9309)
==3572== by 0x47E2EF: exec_normal_cmd (ex_docmd.c:9538)
==3572== by 0x47E103: ex_normal (ex_docmd.c:9438)
==3572== by 0x472AAD: do_one_cmd (ex_docmd.c:2684)
==3572== by 0x470028: do_cmdline (ex_docmd.c:1122)
==3572== by 0x4587CC: call_user_func (eval.c:22679)
==3572== by 0x440437: call_func (eval.c:8506)
==3572== by 0x43FFC2: get_func_tv (eval.c:8348)
==3572== by 0x43B814: eval7 (eval.c:5164)
==3572== by 0x43B0AD: eval6 (eval.c:4816)
==3572== by 0x43AC1C: eval5 (eval.c:4632)
==3572== by 0x43A01B: eval4 (eval.c:4325)
==3572== by 0x439E68: eval3 (eval.c:4237)
==3572== by 0x439CE7: eval2 (eval.c:4166)
==3572== by 0x439B26: eval1 (eval.c:4091)
==3572== by 0x439A85: eval0 (eval.c:4048)
==3572== by 0x434AC6: eval_to_string (eval.c:1361)
==3572== by 0x434C37: eval_to_string_safe (eval.c:1409)
==3572== by 0x415B11: build_stl_str_hl (buffer.c:3859)
==3572== by 0x55D2A4: win_redr_custom (screen.c:6595)
==3572== by 0x55CC97: redraw_custom_statusline (screen.c:6382)
==3572== by 0x55C73F: win_redr_status (screen.c:6244)
==3572== by 0x55BC8D: redraw_statuslines (screen.c:5860)
==3572== by 0x4325C3: ins_mouse (edit.c:9136)
==3572== by 0x425948: edit (edit.c:1147)
==3572== by 0x513E78: invoke_edit (normal.c:9224)
==3572== by 0x513E11: nv_edit (normal.c:9197)
==3572== by 0x505F1E: normal_cmd (normal.c:1199)
==3572== by 0x4BCA4E: main_loop (main.c:1322)
==3572== by 0x4BC397: main (main.c:1013)
What is the expected output? What do you see instead?
Vim should not use freed memory.
What version of the product are you using? On what operating system?
Vim-7.3.905 on Linux x86_64 (huge, gtk2)
Please provide any additional information below.
It is not a recently introduced bug, as I could also
reproduce it with an older Vim-7.3.100 (I did try earlier version).
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups "vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
