Hi afl-fuzz found this case which causes vim-8.0.81 and older to use free memory:
$ cat >use-free-mem.vim <<EOF tabedit X tabfirst copen only echo win_getid(1, 1) EOF $ valgrind vim -u NONE -S use-free-mem.vim -cqa 2> vg.log And vg.log contains: ==11501== Memcheck, a memory error detector ==11501== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==11501== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info ==11501== Command: vim -u NONE -S use-free-mem.vim -cqa ==11501== ==11501== Invalid read of size 4 ==11501== at 0x635043: win_getid (window.c:7140) ==11501== by 0x45DCE8: f_win_getid (evalfunc.c:5253) ==11501== by 0x44C39D: call_internal_func (evalfunc.c:999) ==11501== by 0x61F27D: call_func (userfunc.c:1372) ==11501== by 0x61EB33: get_func_tv (userfunc.c:455) ==11501== by 0x44B205: eval7 (eval.c:4343) ==11501== by 0x44A85E: eval6 (eval.c:3977) ==11501== by 0x44A424: eval5 (eval.c:3793) ==11501== by 0x44977A: eval4 (eval.c:3492) ==11501== by 0x449589: eval3 (eval.c:3409) ==11501== by 0x43F2C9: eval2 (eval.c:3341) ==11501== by 0x43ACF2: eval1 (eval.c:3269) ==11501== Address 0x759ed90 is 0 bytes inside a block of size 6,256 free'd ==11501== at 0x4C2BCEF: free (vg_replace_malloc.c:530) ==11501== by 0x50CF6D: vim_free (misc2.c:1727) ==11501== by 0x62C607: win_free (window.c:4693) ==11501== by 0x62F72D: win_free_mem (window.c:2573) ==11501== by 0x629BB2: win_close (window.c:2420) ==11501== by 0x630239: close_others (window.c:3372) ==11501== by 0x4921C3: ex_only (ex_docmd.c:7556) ==11501== by 0x483B37: do_one_cmd (ex_docmd.c:2960) ==11501== by 0x47F8DF: do_cmdline (ex_docmd.c:1110) ==11501== by 0x47D1D8: do_source (ex_cmds2.c:4111) ==11501== by 0x47C856: cmd_source (ex_cmds2.c:3724) ==11501== by 0x47C8AB: ex_source (ex_cmds2.c:3699) ==11501== Block was alloc'd at ==11501== at 0x4C2ABF5: malloc (vg_replace_malloc.c:299) ==11501== by 0x50C84A: lalloc (misc2.c:942) ==11501== by 0x50C9D7: alloc_clear (misc2.c:864) ==11501== by 0x62C11A: win_alloc (window.c:4493) ==11501== by 0x630469: win_alloc_firstwin (window.c:3472) ==11501== by 0x6303D0: win_alloc_first (window.c:3430) ==11501== by 0x649158: common_init (main.c:983) ==11501== by 0x648B8A: main (main.c:173) ==11501== ==11501== ==11501== HEAP SUMMARY: ==11501== in use at exit: 104,856 bytes in 428 blocks ==11501== total heap usage: 6,712 allocs, 6,284 frees, 745,664 bytes allocated ==11501== ==11501== LEAK SUMMARY: ==11501== definitely lost: 5,336 bytes in 3 blocks ==11501== indirectly lost: 43,698 bytes in 64 blocks ==11501== possibly lost: 0 bytes in 0 blocks ==11501== still reachable: 55,822 bytes in 361 blocks ==11501== suppressed: 0 bytes in 0 blocks ==11501== Rerun with --leak-check=full to see details of leaked memory ==11501== ==11501== For counts of detected and suppressed errors, rerun with: -v ==11501== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Regards Dominique -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
