Dominique Pelle wrote: > pansz wrote: > > > The related things: > > > > About my system: > > Linux pansz-pc 2.6.24-26-generic #1 SMP Tue Dec 1 18:37:31 UTC 2009 i686 > > GNU/Linux Ubuntu 8.04.3 LTS > > > > About vim: > > > > VIM - Vi IMproved 7.2 (2008 Aug 9, compiled Jan 21 2010 14:23:52) > > Included patches: 1-327 > > Compiled by p...@pansz-pc > > Big version with GTK2 GUI. > > Compilation: gcc -c -I. -Iproto -DHAVE_CONFIG_H -DFEAT_GUI_GTK > > -I/usr/include/gtk-2.0 -I/usr/lib/gtk-2.0/include -I/usr/include/ > > atk-1.0 -I/usr/include/cairo -I/usr/include/pango-1.0 > > -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/freetype > > 2 -I/usr/include/libpng12 -I/usr/include/pixman-1 -O2 -g -march=native > > -mfpmath=sse -DNDEBUG > > Linking: gcc -L/usr/local/lib -o vim -lgtk-x11-2.0 -lgdk-x11-2.0 > > -latk-1.0 -lgdk_pixbuf-2.0 -lpangocairo-1.0 -lpango-1.0 -lca > > iro -lgobject-2.0 -lgmodule-2.0 -lglib-2.0 -lXt -lm -lncurses -lselinux > > -lacl -lgpm > > > > About myvimrc: > > set nocompatible > > set encoding=utf-8 > > set fileencodings=ucs-bom,utf-8,euc-cn,cp936,gb18030,latin1 > > set noloadplugins > > runtime plugin/vimim.vim > > > > About the plugin: > > http://vimim.googlecode.com/svn/trunk/plugin/vimim.vim > > > > The operation: > > vim -u myvimrc > > press i to enter insert mode > > press <Ctrl-\> and hold it for several seconds. (depend on your pc, may > > crash within 3 seconds to 60 seconds) > > vim will now caught SIGSEGV and core dumped. > > > > Here is the backtrace: > > > > (gdb) bt > > #0 0xb7f33410 in __kernel_vsyscall () > > #1 0xb775b4b6 in kill () from /lib/tls/i686/cmov/libc.so.6 > > #2 0x0812b2ca in may_core_dump () at os_unix.c:3101 > > #3 0x0812d0e5 in mch_exit (r=1) at os_unix.c:3066 > > #4 0x080f0460 in preserve_exit () at misc1.c:8392 > > #5 <signal handler called> > > #6 0xb77a348d in memmove () from /lib/tls/i686/cmov/libc.so.6 > > #7 0x081846e8 in set_input_buf (p=0x82524c8 "\004") at ui.c:1592 > > #8 0x080c7209 in vgetorpeek (advance=1) at getchar.c:2454 > > #9 0x080c7f36 in vgetc () at getchar.c:1559 > > #10 0x080c844a in safe_vgetc () at getchar.c:1764 > > #11 0x0806b5d6 in edit (cmdchar=73, startln=0, count=0) at edit.c:717 > > #12 0x08113023 in normal_cmd (oap=0xbfde8cfc, toplevel=1) at normal.c:1367 > > #13 0x080d6fd6 in main_loop (cmdwin=0, noexmode=0) at main.c:1211 > > #14 0x080da5ce in main (argc=Cannot access memory at address 0x1 > > ) at main.c:955 > > > Hi > > I can reproduce the bug with Vim-7.2.344 on Linux > following your indications. Pressing <C-\> just once > is enough to detect a bug using Valgrind memory > checker (write to freed memory) even if it may not > cause a crash immediately: > > ==8346== Invalid write of size 1 > ==8346== at 0x80824D6: call_func (eval.c:8203) > ==8346== by 0x8085E83: get_func_tv (eval.c:7971) > ==8346== by 0x8084752: eval7 (eval.c:5019) > ==8346== by 0x80849E3: eval6 (eval.c:4686) > ==8346== by 0x8084C2B: eval5 (eval.c:4502) > ==8346== by 0x8085009: eval4 (eval.c:4197) > ==8346== by 0x808597B: eval3 (eval.c:4109) > ==8346== by 0x8085ABB: eval1 (eval.c:4038) > ==8346== by 0x8086CAC: eval0 (eval.c:3920) > ==8346== by 0x808708B: eval_to_string (eval.c:1302) > ==8346== by 0x80CCC21: eval_map_expr (getchar.c:4458) > ==8346== by 0x80CFA0E: vgetorpeek (getchar.c:2449) > ==8346== by 0x80D058D: vgetc (getchar.c:1559) > ==8346== by 0x80D0A9A: safe_vgetc (getchar.c:1764) > ==8346== by 0x806D5C4: edit (edit.c:717) > ==8346== by 0x811C083: invoke_edit (normal.c:8909) > ==8346== by 0x811DC01: nv_open (normal.c:8223) > ==8346== by 0x8123084: normal_cmd (normal.c:1188) > ==8346== by 0x80E28E6: main_loop (main.c:1211) > ==8346== by 0x80E5E21: main (main.c:955) > ==8346== Address 0x503d8ce is 22 bytes inside a block of size 25 free'd > ==8346== at 0x4024B82: free (vg_replace_malloc.c:366) > ==8346== by 0x80D255A: do_map (getchar.c:3519) > ==8346== by 0x80A63D9: do_exmap (ex_docmd.c:8056) > ==8346== by 0x80AB2CD: do_one_cmd (ex_docmd.c:2627) > ==8346== by 0x80A9727: do_cmdline (ex_docmd.c:1096) > ==8346== by 0x8081B4C: call_user_func (eval.c:21320) > ==8346== by 0x80823BC: call_func (eval.c:8125) > ==8346== by 0x8085E83: get_func_tv (eval.c:7971) > ==8346== by 0x808B460: ex_call (eval.c:3343) > ==8346== by 0x80AB2CD: do_one_cmd (ex_docmd.c:2627) > ==8346== by 0x80A9727: do_cmdline (ex_docmd.c:1096) > ==8346== by 0x8081B4C: call_user_func (eval.c:21320) > ==8346== by 0x80823BC: call_func (eval.c:8125) > ==8346== by 0x8085E83: get_func_tv (eval.c:7971) > ==8346== by 0x808B460: ex_call (eval.c:3343) > ==8346== by 0x80AB2CD: do_one_cmd (ex_docmd.c:2627) > ==8346== by 0x80A9727: do_cmdline (ex_docmd.c:1096) > ==8346== by 0x8081B4C: call_user_func (eval.c:21320) > ==8346== by 0x80823BC: call_func (eval.c:8125) > ==8346== by 0x8085E83: get_func_tv (eval.c:7971) > ==8346== by 0x808B460: ex_call (eval.c:3343) > ==8346== by 0x80AB2CD: do_one_cmd (ex_docmd.c:2627) > ==8346== by 0x80A9727: do_cmdline (ex_docmd.c:1096) > ==8346== by 0x8081B4C: call_user_func (eval.c:21320) > ==8346== by 0x80823BC: call_func (eval.c:8125) > ==8346== by 0x8085E83: get_func_tv (eval.c:7971) > ==8346== by 0x808B460: ex_call (eval.c:3343) > ==8346== by 0x80AB2CD: do_one_cmd (ex_docmd.c:2627) > ==8346== by 0x80A9727: do_cmdline (ex_docmd.c:1096) > ==8346== by 0x8081B4C: call_user_func (eval.c:21320) > ==8346== by 0x80823BC: call_func (eval.c:8125) > ==8346== by 0x8085E83: get_func_tv (eval.c:7971) > ==8346== by 0x8084752: eval7 (eval.c:5019) > ==8346== by 0x80849E3: eval6 (eval.c:4686) > ==8346== by 0x8084C2B: eval5 (eval.c:4502) > ==8346== by 0x8085009: eval4 (eval.c:4197) > ==8346== by 0x808597B: eval3 (eval.c:4109) > ==8346== by 0x8085ABB: eval1 (eval.c:4038) > ==8346== by 0x8086CAC: eval0 (eval.c:3920) > ==8346== by 0x808708B: eval_to_string (eval.c:1302) > (several other error after that) > > eval.c: > > 8125 call_user_func(fp, argcount, argvars, rettv, > 8126 firstline, lastline, > 8127 (fp->uf_flags & FC_DICT) ? selfdict : NULL); > .... > 8203 name[len] = cc; <------- Write to freed memory > > It's still unclear to me how to fix it though.
I haven't looked at all of this, but it seems the problem is that an expression mapping is being evaluated, which then redefines that same mapping. The solution would then be to make a copy of the mapping before evaluating the expression. That's not efficient. Another solution is to disallow changing a mapping that is being used. That is more difficult and disables some functionality. Yet another solution is to postpone setting the new mapping until it has finished evaluation (we do something similar for autocommands). That's even more complicated... -- All true wisdom is found on T-shirts. /// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ download, build and distribute -- http://www.A-A-P.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org /// -- You received this message from the "vim_use" maillist. For more information, visit http://www.vim.org/maillist.php
