Hi afl-fuzz found this case which causes use of free memory in vim-8.0563 and older:
$ cat bug.vim set efm=E,%W%m, cgetexpr ['C'] set efm=%C%m lexpr '0' lopen call setqflist([], 'r') caddbuf $valgrind vim -u NONE -N -S bug.vim 2> vg.log And vg.log contains: ==21721== Memcheck, a memory error detector ==21721== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==21721== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info ==21721== Command: vim -u NONE -N -S bug.vim ==21721== ==21721== Invalid read of size 8 ==21721== at 0x507F0E: qf_parse_line (quickfix.c:1053) ==21721== by 0x507F0E: qf_init_ext (quickfix.c:1258) ==21721== by 0x50DFDB: ex_cbuffer (quickfix.c:5046) ==21721== by 0x45D124: do_one_cmd (ex_docmd.c:3021) ==21721== by 0x45941D: do_cmdline (ex_docmd.c:1160) ==21721== by 0x4573B9: do_source (ex_cmds2.c:4313) ==21721== by 0x456BF8: cmd_source (ex_cmds2.c:3926) ==21721== by 0x456BF8: ex_source (ex_cmds2.c:3901) ==21721== by 0x45D124: do_one_cmd (ex_docmd.c:3021) ==21721== by 0x45941D: do_cmdline (ex_docmd.c:1160) ==21721== by 0x5D34EC: exe_commands (main.c:2923) ==21721== by 0x5D34EC: vim_main2 (main.c:790) ==21721== by 0x5D1E09: main (main.c:419) ==21721== Address 0x76d23a0 is 48 bytes inside a block of size 64 free'd ==21721== at 0x4C2BCEF: free (vg_replace_malloc.c:530) ==21721== by 0x5083C1: qf_free (quickfix.c:2740) ==21721== by 0x50DC8B: qf_add_entries (quickfix.c:4733) ==21721== by 0x50DC8B: set_errorlist (quickfix.c:4965) ==21721== by 0x4445EB: set_qf_ll_list (evalfunc.c:10083) ==21721== by 0x435896: call_internal_func (evalfunc.c:991) ==21721== by 0x5AC4D5: call_func (userfunc.c:1446) ==21721== by 0x5AC029: get_func_tv (userfunc.c:455) ==21721== by 0x5B0506: ex_call (userfunc.c:3062) ==21721== by 0x45D124: do_one_cmd (ex_docmd.c:3021) ==21721== by 0x45941D: do_cmdline (ex_docmd.c:1160) ==21721== by 0x4573B9: do_source (ex_cmds2.c:4313) ==21721== by 0x456BF8: cmd_source (ex_cmds2.c:3926) ==21721== by 0x456BF8: ex_source (ex_cmds2.c:3901) ==21721== Block was alloc'd at ==21721== at 0x4C2ABF5: malloc (vg_replace_malloc.c:299) ==21721== by 0x4C69F7: lalloc (misc2.c:942) ==21721== by 0x508766: qf_add_entry (quickfix.c:1444) ==21721== by 0x507E59: qf_init_ext (quickfix.c:1267) ==21721== by 0x50E229: ex_cexpr (quickfix.c:5115) ==21721== by 0x45D124: do_one_cmd (ex_docmd.c:3021) ==21721== by 0x45941D: do_cmdline (ex_docmd.c:1160) ==21721== by 0x4573B9: do_source (ex_cmds2.c:4313) ==21721== by 0x456BF8: cmd_source (ex_cmds2.c:3926) ==21721== by 0x456BF8: ex_source (ex_cmds2.c:3901) ==21721== by 0x45D124: do_one_cmd (ex_docmd.c:3021) ==21721== by 0x45941D: do_cmdline (ex_docmd.c:1160) ==21721== by 0x5D34EC: exe_commands (main.c:2923) ==21721== by 0x5D34EC: vim_main2 (main.c:790) (several more errors after that) Doing a git bissection, I see that it's a regression introduced by patch 7.4.1980: === commit 361c8f0e517e41f1f1d34dae328044406fde80ac Author: Bram Moolenaar <[email protected]> Date: Sat Jul 2 15:41:47 2016 +0200 patch 7.4.1980 Problem: 'errorformat' is parsed for every call to ":caddexpr". Can't add to two location lists asynchronously. Solution: Keep the previously parsed data when appropriate. (mostly by Yegappan Lakshmanan) === Regards Dominique -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
