Hi Dominique,
2015-7-18(Sat) 22:28:11 UTC+9 Dominique Pelle:
> On Sat, Jul 18, 2015 at 1:13 PM, h_east wrote:
> > Hi Dominique,
> >
> > 2015-7-18(Sat) 14:40:28 UTC+9 Dominique Pelle:
> >> h_east wrote:
> >>
> >> > Hi Dominique!
> >> >
> >> > 2015-7-18(Sat) 9:38:45 UTC+9 Dominique Pelle:
> >> >> Bram Moolenaar <[email protected]> wrote:
> >> >>
> >> >> > Patch 7.4.786
> >> >> > Problem: It is not possible for a plugin to adjust to a changed
> >> >> > setting.
> >> >> > Solution: Add the OptionSet autocommand event. (Christian Brabandt)
> >> >>
> >> >> Hi
> >> >>
> >> >> This patch causes use of freed memory when running test10.
> >> >>
> >> >> changeset 6935:4db70c94226b -> crash in test 10 with asan
> >> >> changeset 6934:be7bd53ad376 -> no crash
> >>
> >> ....snip...
> >>
> >> > Could you try attached patch?
> >> >
> >> > --
> >> > Best regards,
> >> > Hirohito Higashi (a.k.a h_east)
> >>
> >> Hi Hirohito
> >>
> >> test10 still crashes after your patch, but the stack is then
> >> different after your patch:
> > ..snip..
> >
> > Thanks for confirming my patch!
> > # My environment does not crash in original 7.4.786. (fedora 20 64bit)
> >
> > I update a patch.
> > Attached new patch and valgrind.test10.
> >
> > valgrind.test10 seem to say that it error yet...
> > Excuse me. Could you try again this patch?
> >
> > Thanks.
> > --
> > Best regards,
> > Hirohito Higashi (a.k.a h_east)
>
>
> Hi Hirohito,
>
> I still see another use-after-free bug when running
> all tests after applying latest patch. It happens in test78:
..snip..
> Aborted (core dumped)
I think an attached patch corrects crash problem.
Please confirm this.
Bram and Christian B>
When did_set_string_option() occurs error, the second argument(varp) was freed
memory and re-set oldval's address. [*1]
So, the following code will cause a problem.
{
*varp = s;
...
did_set_string_option(opt_idx, varp, TRUE, oldval, NULL, ....
...
set_vim_var_string(VV_OPTION_NEW, s, -1);
}
[*1]
option.c in did_set_string_option()
7176 /*
7177 * If error detected, restore the previous value.
7178 */
7179 if (errmsg != NULL)
7180 {
7181 if (new_value_alloced)
7182 free_string_option(*varp);
7183 *varp = oldval;
What do you think?
--
Best regards,
Hirohito Higashi (a.k.a h_east)
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
diff --git a/src/option.c b/src/option.c
--- a/src/option.c
+++ b/src/option.c
@@ -4943,7 +4943,8 @@
sprintf((char *)buf_type, "%s",
(opt_flags & OPT_LOCAL) ? "local" : "global");
- set_vim_var_string(VV_OPTION_NEW, newval, -1);
+ set_vim_var_string(VV_OPTION_NEW,
+ *(char_u **)varp, -1);
set_vim_var_string(VV_OPTION_OLD, saved_origval, -1);
set_vim_var_string(VV_OPTION_TYPE, buf_type, -1);
apply_autocmds(EVENT_OPTIONSET,
@@ -5738,8 +5739,8 @@
char_u buf_type[7];
sprintf((char *)buf_type, "%s",
(opt_flags & OPT_LOCAL) ? "local" : "global");
- set_vim_var_string(VV_OPTION_NEW, s, -1);
- set_vim_var_string(VV_OPTION_OLD, oldval, -1);
+ set_vim_var_string(VV_OPTION_NEW, *varp, -1);
+ set_vim_var_string(VV_OPTION_OLD, saved_oldval, -1);
set_vim_var_string(VV_OPTION_TYPE, buf_type, -1);
apply_autocmds(EVENT_OPTIONSET, (char_u *)options[opt_idx].fullname, NULL, FALSE, NULL);
reset_v_option_vars();
diff --git a/src/testdir/Makefile b/src/testdir/Makefile
--- a/src/testdir/Makefile
+++ b/src/testdir/Makefile
@@ -9,7 +9,7 @@
# The output goes into a file "valgrind.testN"
# Vim should be compiled with EXITFREE to avoid false warnings.
# This will make testing about 10 times as slow.
-# VALGRIND = valgrind --tool=memcheck --leak-check=yes --num-callers=15 --log-file=valgrind.$*
+VALGRIND = valgrind --tool=memcheck --leak-check=yes --num-callers=15 --log-file=valgrind.$*
SCRIPTS = test1.out test2.out test3.out test4.out test5.out test6.out \
