On So, 25 Nov 2018, James McCoy wrote:
> On Sun, Nov 25, 2018 at 07:19:52AM +0100, Bram Moolenaar wrote: > > > > James McCoy wrote: > > > > > On Thu, Sep 13, 2018 at 01:11:44PM +0200, Christian Brabandt wrote: > > > > > > > > On Do, 13 Sep 2018, 'Jonathon Fernyhough' via vim_use wrote: > > > > > > > > > On 13/09/2018 10:14, Christian Brabandt wrote: > > > > > > Are you sure this version includes the patch for 8.1.349? I am a > > > > > > bit > > > > > > confused because of the version number: > > > > > > vim_2%3A8.1.0349+really.v8.1.0369-0 > > > > > > > > > > Yes, it's really version 8.1.369. > > > > > > > > > > This specific package is built using Launchpad's Recipes feature [1] > > > > > which combines the debian/ packaging files from one git repo [2] with > > > > > the upstream sources from another [3]. This feature triggers automatic > > > > > builds when there's a change. > > > > > > > > > > The Recipes feature only allows certain values to be used in the > > > > > generated version number [4], one of which is the Git tag, but because > > > > > tags start with a "v" I have to hack the versioning slightly. The last > > > > > version I refreshed the packaging files for was 8.1.349 so that forms > > > > > the version number "root", the upstream tag provides the "really" > > > > > version number (with leading "v"). > > > > > > > > > > It's essentially a CI system for packaging which is quite handy for > > > > > Vim's release model. > > > > > > > > > > J > > > > > > > > > > > > > > > [1] https://code.launchpad.net/~jonathonf/+recipe/vim-daily > > > > > [2] > > > > > https://code.launchpad.net/~jonathonf/+git/vim-packaging/+ref/master > > > > > [3] > > > > > https://code.launchpad.net/~jonathonf/vim/+git/vim-upstream/+ref/master > > > > > [4] > > > > > https://help.launchpad.net/Packaging/SourceBuilds/Recipes#Version_numbers_and_substitution_variables > > > > > > > > That is interesting. It might actually be a bug that Vim is handling > > > > the > > > > callback command when it should not. However to fix that, it would be > > > > great to have it reproducible. > > > > > > I've been running into the same crash, both in the CI for Debian's Vim > > > packaging[0] and when I run the build locally in sbuild. > > > > > > It seems to oscillate between an ml_get() error or a SEGV with a > > > backtrace like this: > > > > > > (gdb) bt -46 > > > #5 0x0000562880d202ac in deathtrap (sigarg=11) at os_unix.c:1191 > > > #6 <signal handler called> > > > #7 0x0000562880e6d1c5 in mf_get (mfp=0x1011, nr=1, page_count=1) at > > > memfile.c:418 > > > #8 0x0000562880cbb22c in ml_find_line (buf=0x562881a0d910, lnum=1, > > > action=19) at memline.c:3699 > > > #9 0x0000562880cb8cac in ml_get_buf (buf=0x562881a0d910, lnum=1, > > > will_change=0) at memline.c:2528 > > > #10 0x0000562880cc677b in plines_win_nofold (wp=0x562881a4db40, lnum=1) > > > at misc1.c:2174 > > > #11 0x0000562880cc6725 in plines_win_nofill (wp=0x562881a4db40, lnum=1, > > > winheight=1) at misc1.c:2157 > > > #12 0x0000562880cdf380 in curs_rows (wp=0x562881a4db40) at move.c:752 > > > #13 0x0000562880cdfa4e in curs_columns (may_scroll=1) at move.c:967 > > > #14 0x0000562880bfacf6 in edit (cmdchar=111, startln=1, count=1) at > > > edit.c:501 > > > #15 0x0000562880cfa990 in invoke_edit (cap=0x7ffcf871a3b0, repl=0, > > > cmd=111, startln=1) at normal.c:9238 > > > #16 0x0000562880cf9654 in n_opencmd (cap=0x7ffcf871a3b0) at normal.c:8524 > > > #17 0x0000562880cfb406 in nv_open (cap=0x7ffcf871a3b0) at normal.c:9599 > > > #18 0x0000562880ceb6f9 in normal_cmd (oap=0x7ffcf871a430, toplevel=1) at > > > normal.c:1121 > > > #19 0x0000562880c6563f in exec_normal (was_typed=1, use_vpeekc=0, > > > may_use_terminal_loop=1) at ex_docmd.c:10509 > > > #20 0x0000562880c24b6b in f_feedkeys (argvars=0x7ffcf871a8c0, > > > rettv=0x7ffcf871aaa0) at evalfunc.c:3648 > > > #21 0x0000562880c1ff68 in call_internal_func (name=0x562881a0d4a0 > > > "feedkeys", argcount=2, argvars=0x7ffcf871a8c0, rettv=0x7ffcf871aaa0) at > > > evalfunc.c:1084 > > > #22 0x0000562880deb7cd in call_func (funcname=0x5628819fb1e0 "feedkeys", > > > len=8, rettv=0x7ffcf871aaa0, argcount_in=2, argvars_in=0x7ffcf871a8c0, > > > argv_func=0x0, firstline=1, lastline=1, doesrange=0x7ffcf871aa68, > > > evaluate=1, partial=0x0, selfdict_in=0x0) at userfunc.c:1507 > > > #23 0x0000562880de940d in get_func_tv (name=0x5628819fb1e0 "feedkeys", > > > len=8, rettv=0x7ffcf871aaa0, arg=0x7ffcf871aa70, firstline=1, lastline=1, > > > doesrange=0x7ffcf871aa68, evaluate=1, partial=0x0, selfdict=0x0) > > > at userfunc.c:455 > > > #24 0x0000562880def8ab in ex_call (eap=0x7ffcf871ab90) at userfunc.c:3171 > > > #25 0x0000562880c565ad in do_one_cmd (cmdlinep=0x7ffcf871add0, > > > sourcing=1, cstack=0x7ffcf871aec0, fgetline=0x562880defd19 > > > <get_func_line>, cookie=0x5628819fecc0) at ex_docmd.c:2525 > > > #26 0x0000562880c53a18 in do_cmdline (cmdline=0x0, > > > fgetline=0x562880defd19 <get_func_line>, cookie=0x5628819fecc0, flags=7) > > > at ex_docmd.c:1036 > > > #27 0x0000562880dea709 in call_user_func (fp=0x562881a3f3a0, argcount=0, > > > argvars=0x7ffcf871ba40, rettv=0x7ffcf871bc20, firstline=1, lastline=1, > > > selfdict=0x0) at userfunc.c:954 > > > #28 0x0000562880deb733 in call_func (funcname=0x562881a03500 > > > "Test_exit_cb_wipes_buf", len=22, rettv=0x7ffcf871bc20, argcount_in=0, > > > argvars_in=0x7ffcf871ba40, argv_func=0x0, firstline=1, lastline=1, > > > doesrange=0x7ffcf871bbe8, evaluate=1, partial=0x0, selfdict_in=0x0) > > > at userfunc.c:1488 > > > #29 0x0000562880de940d in get_func_tv (name=0x562881a03500 > > > "Test_exit_cb_wipes_buf", len=22, rettv=0x7ffcf871bc20, > > > arg=0x7ffcf871bbf0, firstline=1, lastline=1, doesrange=0x7ffcf871bbe8, > > > evaluate=1, partial=0x0, > > > selfdict=0x0) at userfunc.c:455 > > > #30 0x0000562880def8ab in ex_call (eap=0x7ffcf871bd10) at userfunc.c:3171 > > > #31 0x0000562880c565ad in do_one_cmd (cmdlinep=0x7ffcf871bf50, > > > sourcing=1, cstack=0x7ffcf871c040, fgetline=0x562880defd19 > > > <get_func_line>, cookie=0x5628819e1aa0) at ex_docmd.c:2525 > > > #32 0x0000562880c53a18 in do_cmdline (cmdline=0x5628819f9db0 "call > > > Test_exit_cb_wipes_buf()", fgetline=0x562880defd19 <get_func_line>, > > > cookie=0x5628819e1aa0, flags=3) at ex_docmd.c:1036 > > > #33 0x0000562880c1b316 in ex_execute (eap=0x7ffcf871c600) at eval.c:8183 > > > #34 0x0000562880c565ad in do_one_cmd (cmdlinep=0x7ffcf871c840, > > > sourcing=1, cstack=0x7ffcf871c930, fgetline=0x562880defd19 > > > <get_func_line>, cookie=0x5628819e1aa0) at ex_docmd.c:2525 > > > #35 0x0000562880c53a18 in do_cmdline (cmdline=0x0, > > > fgetline=0x562880defd19 <get_func_line>, cookie=0x5628819e1aa0, flags=7) > > > at ex_docmd.c:1036 > > > #36 0x0000562880dea709 in call_user_func (fp=0x5628819e8c60, argcount=1, > > > argvars=0x7ffcf871d4b0, rettv=0x7ffcf871d690, firstline=1, lastline=1, > > > selfdict=0x0) at userfunc.c:954 > > > #37 0x0000562880deb733 in call_func (funcname=0x562881a4b980 > > > "RunTheTest", len=10, rettv=0x7ffcf871d690, argcount_in=1, > > > argvars_in=0x7ffcf871d4b0, argv_func=0x0, firstline=1, lastline=1, > > > doesrange=0x7ffcf871d658, evaluate=1, partial=0x0, selfdict_in=0x0) > > > at userfunc.c:1488 > > > #38 0x0000562880de940d in get_func_tv (name=0x562881a4b980 "RunTheTest", > > > len=10, rettv=0x7ffcf871d690, arg=0x7ffcf871d660, firstline=1, > > > lastline=1, doesrange=0x7ffcf871d658, evaluate=1, partial=0x0, > > > selfdict=0x0) at userfunc.c:455 > > > #39 0x0000562880def8ab in ex_call (eap=0x7ffcf871d780) at userfunc.c:3171 > > > #40 0x0000562880c565ad in do_one_cmd (cmdlinep=0x7ffcf871d9c0, > > > sourcing=1, cstack=0x7ffcf871dab0, fgetline=0x562880c54612 > > > <get_loop_line>, cookie=0x7ffcf871da50) at ex_docmd.c:2525 > > > #41 0x0000562880c53a18 in do_cmdline (cmdline=0x5628819bf900 "\" This > > > script is sourced while editing the .vim file with the tests.", > > > fgetline=0x562880c5198e <getsourceline>, cookie=0x7ffcf871e020, flags=7) > > > at ex_docmd.c:1036 > > > #42 0x0000562880c51550 in do_source (fname=0x5628819e3dd3 "runtest.vim", > > > check_other=0, is_vimrc=0) at ex_cmds2.c:4615 > > > #43 0x0000562880c50afd in cmd_source (fname=0x5628819e3dd3 "runtest.vim", > > > eap=0x7ffcf871e210) at ex_cmds2.c:4229 > > > #44 0x0000562880c50a45 in ex_source (eap=0x7ffcf871e210) at > > > ex_cmds2.c:4204 > > > #45 0x0000562880c565ad in do_one_cmd (cmdlinep=0x7ffcf871e450, > > > sourcing=1, cstack=0x7ffcf871e540, fgetline=0x0, cookie=0x0) at > > > ex_docmd.c:2525 > > > #46 0x0000562880c53a18 in do_cmdline (cmdline=0x5628819e5ef0 "so > > > runtest.vim", fgetline=0x0, cookie=0x0, flags=11) at ex_docmd.c:1036 > > > #47 0x0000562880c53016 in do_cmdline_cmd (cmd=0x5628819e5ef0 "so > > > runtest.vim") at ex_docmd.c:637 > > > #48 0x0000562880e6a627 in exe_commands (parmp=0x562880f1e580 <params>) at > > > main.c:2964 > > > #49 0x0000562880e6734e in vim_main2 () at main.c:814 > > > #50 0x0000562880e66bc0 in main (argc=13, argv=0x7ffcf871ebc8) at > > > main.c:441 > > > > > > In ml_get_buf(), the memory pointed to by buf is already junk: > > > (gdb) p buf->b_ml > > > $14 = {ml_line_count = 64, ml_mfp = 0x41, ml_flags = -2120272080, > > > ml_stack = 0x4a4a526a562d6d69, ml_stack_top = 1769353075, ml_stack_size = > > > 775433581, ml_line_lnum = 8299908937590779441, > > > ml_line_ptr = 0x672d6d69762f6372 <error: Cannot access memory at > > > address 0x672d6d69762f6372>, ml_locked = 0x747365742f336b74, > > > ml_locked_low = 7498084, ml_locked_high = 4049, ml_locked_lineadd = > > > -1843846480, > > > ml_chunksize = 0x562881a4ebc0, ml_numchunks = -2119898176, > > > ml_usedchunks = 22056} > > > > > > If we go up a few frames to curs_column(), then curwin is valid: > > > > > > (gdb) f 13 > > > #13 0x0000562880cdfa4e in curs_columns (may_scroll=1) at move.c:967 > > > 967 curs_rows(curwin); > > > (gdb) p curwin->w_id > > > $20 = 1000 > > > (gdb) p curwin > > > $24 = (win_T *) 0x5628819de9c0 > > > > > > However, the next frame down wp isn't pointing at the same memory and > > > has garbage: > > > > > > (gdb) down > > > #12 0x0000562880cdf380 in curs_rows (wp=0x562881a4db40) at move.c:752 > > > 752 wp->w_cline_row += plines_win_nofill(wp, > > > lnum++, TRUE) > > > (gdb) p wp > > > $27 = (win_T *) 0x562881a4db40 > > > (gdb) p wp->w_id > > > $28 = -2119882880 > > > > > > [0]: https://salsa.debian.org/vim-team/vim/-/jobs/84811 > > > > Hmm, so it's some kind of memory corruption. There are to many stack > > frames to guess what is happening. Can you run this with ASAN, so that > > it should fail the moment the memory corruption happens? > > Here's what ASAN detects: > > ================================================================= > ==15879==ERROR: AddressSanitizer: heap-use-after-free on address > 0x624000060200 at pc 0x0000008e86db bp 0x7ffe0ac21860 sp 0x7ffe0ac21858 > READ of size 4 at 0x624000060200 thread T0 > #0 0x8e86da in curs_rows src/vim-gtk3/move.c:695:11 > #1 0x8e4745 in curs_columns src/vim-gtk3/move.c:967:2 > #2 0x599568 in edit src/vim-gtk3/edit.c:501:5 > #3 0x965f77 in invoke_edit src/vim-gtk3/normal.c:9238:9 > #4 0x9676fd in n_opencmd src/vim-gtk3/normal.c:8524:6 > #5 0x94c189 in nv_open src/vim-gtk3/normal.c:9599:2 > #6 0x916bf2 in normal_cmd src/vim-gtk3/normal.c:1121:5 > #7 0x713f64 in exec_normal src/vim-gtk3/ex_docmd.c:10509:6 > #8 0x636e1c in f_feedkeys src/vim-gtk3/evalfunc.c:3648:3 > #9 0x625746 in call_internal_func src/vim-gtk3/evalfunc.c:1084:5 > #10 0xcd200a in call_func src/vim-gtk3/userfunc.c:1507:14 > #11 0xcd08be in get_func_tv src/vim-gtk3/userfunc.c:455:8 > #12 0xce66a3 in ex_call src/vim-gtk3/userfunc.c:3171:6 > #13 0x6ee22d in do_one_cmd src/vim-gtk3/ex_docmd.c:2525:2 > #14 0x6e0ccb in do_cmdline src/vim-gtk3/ex_docmd.c:1036:17 > #15 0xcd611f in call_user_func src/vim-gtk3/userfunc.c:954:5 > #16 0xcd1e80 in call_func src/vim-gtk3/userfunc.c:1488:7 > #17 0xcd08be in get_func_tv src/vim-gtk3/userfunc.c:455:8 > #18 0xce66a3 in ex_call src/vim-gtk3/userfunc.c:3171:6 > #19 0x6ee22d in do_one_cmd src/vim-gtk3/ex_docmd.c:2525:2 > #20 0x6e0ccb in do_cmdline src/vim-gtk3/ex_docmd.c:1036:17 > #21 0x608626 in ex_execute src/vim-gtk3/eval.c:8183:6 > #22 0x6ee22d in do_one_cmd src/vim-gtk3/ex_docmd.c:2525:2 > #23 0x6e0ccb in do_cmdline src/vim-gtk3/ex_docmd.c:1036:17 > #24 0xcd611f in call_user_func src/vim-gtk3/userfunc.c:954:5 > #25 0xcd1e80 in call_func src/vim-gtk3/userfunc.c:1488:7 > #26 0xcd08be in get_func_tv src/vim-gtk3/userfunc.c:455:8 > #27 0xce66a3 in ex_call src/vim-gtk3/userfunc.c:3171:6 > #28 0x6ee22d in do_one_cmd src/vim-gtk3/ex_docmd.c:2525:2 > #29 0x6e0ccb in do_cmdline src/vim-gtk3/ex_docmd.c:1036:17 > #30 0x6d5ab9 in do_source src/vim-gtk3/ex_cmds2.c:4615:5 > #31 0x6d350e in cmd_source src/vim-gtk3/ex_cmds2.c:4229:14 > #32 0x6d3b1c in ex_source src/vim-gtk3/ex_cmds2.c:4204:2 > #33 0x6ee22d in do_one_cmd src/vim-gtk3/ex_docmd.c:2525:2 > #34 0x6e0ccb in do_cmdline src/vim-gtk3/ex_docmd.c:1036:17 > #35 0x6e4613 in do_cmdline_cmd src/vim-gtk3/ex_docmd.c:637:12 > #36 0xeb0e18 in exe_commands src/vim-gtk3/main.c:2964:2 > #37 0xeada6f in vim_main2 src/vim-gtk3/main.c:814:2 > #38 0xea5621 in main src/vim-gtk3/main.c:441:12 > #39 0x7f5aef7e9b16 in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x22b16) > #40 0x465cd9 in _start (/<<PKGBUILDDIR>>/src/vim-gtk3/vim+0x465cd9) > > 0x624000060200 is located 256 bytes inside of 7440-byte region > [0x624000060100,0x624000061e10) > freed by thread T0 here: > #0 0x50d442 in __interceptor_free > (/<<PKGBUILDDIR>>/src/vim-gtk3/vim+0x50d442) > #1 0x8c156b in vim_free src/vim-gtk3/misc2.c:1833:2 > #2 0xcffef6 in win_free src/vim-gtk3/window.c:4748:2 > #3 0xd0ae65 in win_free_mem src/vim-gtk3/window.c:2600:5 > #4 0xcf5440 in win_close src/vim-gtk3/window.c:2445:10 > #5 0x54a5ff in do_buffer src/vim-gtk3/buffer.c:1436:10 > #6 0x54e959 in do_bufdel src/vim-gtk3/buffer.c:1185:32 > #7 0x71ead9 in ex_bunload src/vim-gtk3/ex_docmd.c:5621:19 > #8 0x6ee22d in do_one_cmd src/vim-gtk3/ex_docmd.c:2525:2 > #9 0x6e0ccb in do_cmdline src/vim-gtk3/ex_docmd.c:1036:17 > #10 0x608626 in ex_execute src/vim-gtk3/eval.c:8183:6 > #11 0x6ee22d in do_one_cmd src/vim-gtk3/ex_docmd.c:2525:2 > #12 0x6e0ccb in do_cmdline src/vim-gtk3/ex_docmd.c:1036:17 > #13 0xcd611f in call_user_func src/vim-gtk3/userfunc.c:954:5 > #14 0xcd1e80 in call_func src/vim-gtk3/userfunc.c:1488:7 > #15 0xe678df in job_cleanup src/vim-gtk3/channel.c:5311:2 > #16 0xe69404 in job_check_ended src/vim-gtk3/channel.c:5530:2 > #17 0x8d8c21 in parse_queued_messages src/vim-gtk3/misc2.c:6389:5 > #18 0x9f8134 in mch_inchar src/vim-gtk3/os_unix.c:394:6 > #19 0xc9e1e5 in ui_inchar src/vim-gtk3/ui.c:157:11 > #20 0x7de299 in inchar src/vim-gtk3/getchar.c:3093:8 > #21 0x7ef154 in vgetorpeek src/vim-gtk3/getchar.c:2875:7 > #22 0x7e53db in vpeekc src/vim-gtk3/getchar.c:1869:12 > #23 0x7f001a in char_avail src/vim-gtk3/getchar.c:1925:14 > #24 0xacb296 in redrawing src/vim-gtk3/screen.c:10833:18 > #25 0x8e8683 in curs_rows src/vim-gtk3/move.c:694:21 > #26 0x8e4745 in curs_columns src/vim-gtk3/move.c:967:2 > #27 0x599568 in edit src/vim-gtk3/edit.c:501:5 > #28 0x965f77 in invoke_edit src/vim-gtk3/normal.c:9238:9 > #29 0x9676fd in n_opencmd src/vim-gtk3/normal.c:8524:6 > > previously allocated by thread T0 here: > #0 0x50d7c3 in __interceptor_malloc > (/<<PKGBUILDDIR>>/src/vim-gtk3/vim+0x50d7c3) > #1 0x8c070f in lalloc src/vim-gtk3/misc2.c:969:21 > #2 0x8c0877 in alloc_clear src/vim-gtk3/misc2.c:891:9 > #3 0xcfedeb in win_alloc src/vim-gtk3/window.c:4559:23 > #4 0xcfb039 in win_split_ins src/vim-gtk3/window.c:1016:11 > #5 0xcf25da in win_split src/vim-gtk3/window.c:753:12 > #6 0x70e272 in ex_splitview src/vim-gtk3/ex_docmd.c:8415:14 > #7 0x6ee22d in do_one_cmd src/vim-gtk3/ex_docmd.c:2525:2 > #8 0x6e0ccb in do_cmdline src/vim-gtk3/ex_docmd.c:1036:17 > #9 0xcd611f in call_user_func src/vim-gtk3/userfunc.c:954:5 > #10 0xcd1e80 in call_func src/vim-gtk3/userfunc.c:1488:7 > #11 0xcd08be in get_func_tv src/vim-gtk3/userfunc.c:455:8 > #12 0xce66a3 in ex_call src/vim-gtk3/userfunc.c:3171:6 > #13 0x6ee22d in do_one_cmd src/vim-gtk3/ex_docmd.c:2525:2 > #14 0x6e0ccb in do_cmdline src/vim-gtk3/ex_docmd.c:1036:17 > #15 0x608626 in ex_execute src/vim-gtk3/eval.c:8183:6 > #16 0x6ee22d in do_one_cmd src/vim-gtk3/ex_docmd.c:2525:2 > #17 0x6e0ccb in do_cmdline src/vim-gtk3/ex_docmd.c:1036:17 > #18 0xcd611f in call_user_func src/vim-gtk3/userfunc.c:954:5 > #19 0xcd1e80 in call_func src/vim-gtk3/userfunc.c:1488:7 > #20 0xcd08be in get_func_tv src/vim-gtk3/userfunc.c:455:8 > #21 0xce66a3 in ex_call src/vim-gtk3/userfunc.c:3171:6 > #22 0x6ee22d in do_one_cmd src/vim-gtk3/ex_docmd.c:2525:2 > #23 0x6e0ccb in do_cmdline src/vim-gtk3/ex_docmd.c:1036:17 > #24 0x6d5ab9 in do_source src/vim-gtk3/ex_cmds2.c:4615:5 > #25 0x6d350e in cmd_source src/vim-gtk3/ex_cmds2.c:4229:14 > #26 0x6d3b1c in ex_source src/vim-gtk3/ex_cmds2.c:4204:2 > #27 0x6ee22d in do_one_cmd src/vim-gtk3/ex_docmd.c:2525:2 > #28 0x6e0ccb in do_cmdline src/vim-gtk3/ex_docmd.c:1036:17 > #29 0x6e4613 in do_cmdline_cmd src/vim-gtk3/ex_docmd.c:637:12 > > SUMMARY: AddressSanitizer: heap-use-after-free src/vim-gtk3/move.c:695:11 in > curs_rows > Shadow bytes around the buggy address: > 0x0c4880003ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c4880004000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c4880004010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c4880004020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c4880004030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > =>0x0c4880004040:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c4880004050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c4880004060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c4880004070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c4880004080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c4880004090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > Shadow gap: cc > ==15879==ABORTING This looks very similar to the crash posted here: https://github.com/vim/vim/pull/2107#issuecomment-418816582 I guess the redrawing() function is being called again, that triggers the win_free() and will make curwin invalid. Perhaps we do need a patch similar to this one https://github.com/vim/vim/pull/2107#issuecomment-418882802 Mit freundlichen Grüßen Christian -- Delhikatesse: Spezialität aus Indien, z.b. Delhi-Mehl, s.a. Reis-Leistungsverhältnis -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
