Loading ...
Sorry, an error occurred while loading the content.

54182Re: Fix for crash in eval.c

Expand Messages
  • Nico Weber
    May 5, 2009
    • 0 Attachment
      Hi Bram

      On 05.05.2009, at 03:41, Bram Moolenaar wrote:

      > Nico Weber wrote:
      >
      >> Valgrind memory checker finds several errors in vim-7.2 (patches
      >> 1-148) with the reproduction steps described at http://groups.google.com/group/vim_mac/browse_thread/thread/4e0149ff4f84e3d3
      >> :
      >>
      >> ==33469== Invalid read of size 4
      >> ==33469== at 0x2D451: dict_unref (eval.c:6709)
      >> ==33469== by 0x3E4E7: clear_tv (eval.c:18558)
      >> ==33469== by 0x3F09B: vars_clear_ext (eval.c:18994)
      >> ==33469== by 0x4382B: free_funccal (eval.c:21466)
      >> ==33469== by 0x2D240: garbage_collect (eval.c:6595)
      >> ==33469== by 0x8D92E: before_blocking (getchar.c:1473)
      >> ==33469== by 0x10764F: mch_inchar (os_unix.c:385)
      >> ==33469== by 0x176A06: ui_inchar (ui.c:193)
      >> ==33469== by 0x8FFD1: inchar (getchar.c:2959)
      >> ==33469== by 0x8FB64: vgetorpeek (getchar.c:2735)
      >> ==33469== by 0x8DAA3: vgetc (getchar.c:1552)
      >> ==33469== by 0x8E05D: safe_vgetc (getchar.c:1757)
      >> ==33469== Address 0x7c290f0 is 0 bytes inside a block of size 176
      >> free'd
      >> ==33469== at 0x25661B: free (vg_replace_malloc.c:322)
      >> ==33469== by 0xCDBDC: vim_free (misc2.c:1638)
      >> ==33469== by 0x2D59B: dict_free (eval.c:6753)
      >> ==33469== by 0x2D176: garbage_collect (eval.c:6559)
      >> ==33469== by 0x8D92E: before_blocking (getchar.c:1473)
      >> ==33469== by 0x10764F: mch_inchar (os_unix.c:385)
      >> ==33469== by 0x176A06: ui_inchar (ui.c:193)
      >> ==33469== by 0x8FFD1: inchar (getchar.c:2959)
      >> ==33469== by 0x8FB64: vgetorpeek (getchar.c:2735)
      >> ==33469== by 0x8DAA3: vgetc (getchar.c:1552)
      >> ==33469== by 0x8E05D: safe_vgetc (getchar.c:1757)
      >> ==33469== by 0xDC89D: normal_cmd (normal.c:653)
      >> ==33469==
      >> ==33469== Invalid write of size 4
      >> ==33469== at 0x2D459: dict_unref (eval.c:6709)
      >> ==33469== by 0x3E4E7: clear_tv (eval.c:18558)
      >> ==33469== by 0x3F09B: vars_clear_ext (eval.c:18994)
      >> ==33469== by 0x4382B: free_funccal (eval.c:21466)
      >> ==33469== by 0x2D240: garbage_collect (eval.c:6595)
      >> ==33469== by 0x8D92E: before_blocking (getchar.c:1473)
      >> ==33469== by 0x10764F: mch_inchar (os_unix.c:385)
      >> ==33469== by 0x176A06: ui_inchar (ui.c:193)
      >> ==33469== by 0x8FFD1: inchar (getchar.c:2959)
      >> ==33469== by 0x8FB64: vgetorpeek (getchar.c:2735)
      >> ==33469== by 0x8DAA3: vgetc (getchar.c:1552)
      >> ==33469== by 0x8E05D: safe_vgetc (getchar.c:1757)
      >> ==33469== Address 0x7c290f0 is 0 bytes inside a block of size 176
      >> free'd
      >> ==33469== at 0x25661B: free (vg_replace_malloc.c:322)
      >> ==33469== by 0xCDBDC: vim_free (misc2.c:1638)
      >> ==33469== by 0x2D59B: dict_free (eval.c:6753)
      >> ==33469== by 0x2D176: garbage_collect (eval.c:6559)
      >> ==33469== by 0x8D92E: before_blocking (getchar.c:1473)
      >> ==33469== by 0x10764F: mch_inchar (os_unix.c:385)
      >> ==33469== by 0x176A06: ui_inchar (ui.c:193)
      >> ==33469== by 0x8FFD1: inchar (getchar.c:2959)
      >> ==33469== by 0x8FB64: vgetorpeek (getchar.c:2735)
      >> ==33469== by 0x8DAA3: vgetc (getchar.c:1552)
      >> ==33469== by 0x8E05D: safe_vgetc (getchar.c:1757)
      >> ==33469== by 0xDC89D: normal_cmd (normal.c:653)
      >>
      > I'm very glad you managed to pinpoint the problem and fix it.
      > I'll check the details and include the patch.
      > Thanks!

      as Dominique pointed out, while this patch fixes a double free(), it
      introduces a memory leak. The leak is smaller in the improved patch,
      but it's still there. Now, a leak is arguably better than a crash, but
      I wouldn't include this patch yet :-/

      If you happen to know why the dicts copied by foo.vim are not freed
      with the second version of my patch, that would be great. Else, I will
      take another look next weekend.

      Nico

      --~--~---------~--~----~------------~-------~--~----~
      You received this message from the "vim_dev" maillist.
      For more information, visit http://www.vim.org/maillist.php
      -~----------~----~----~----~------~----~------~--~---
    • Show all 12 messages in this topic