Loading ...
Sorry, an error occurred while loading the content.

[patch] fixed used of freed memory when redrawing statusline recursively

Expand Messages
  • Dominique PellĂ©
    Hi Vim is using freed memory when invoking :redrawstatus while redrawing the statusline: ==23085== Invalid read of size 1 ==23085== at 0x80773FB:
    Message 1 of 2 , Jun 1, 2009
    • 0 Attachment
      Hi

      Vim is using freed memory when invoking ":redrawstatus"
      while redrawing the statusline:

      ==23085== Invalid read of size 1
      ==23085== at 0x80773FB: build_stl_str_hl (buffer.c:3441)
      ==23085== by 0x8178ADB: win_redr_custom (screen.c:6093)
      ==23085== by 0x8178F04: redraw_custum_statusline (screen.c:5898)
      ==23085== by 0x817B16E: win_redr_status (screen.c:5768)
      ==23085== by 0x81857A5: update_screen (screen.c:529)
      ==23085== by 0x80C4ED0: ex_redrawstatus (ex_docmd.c:8624)
      ==23085== by 0x80CE996: do_one_cmd (ex_docmd.c:2620)
      ==23085== by 0x80CCC92: do_cmdline (ex_docmd.c:1096)
      ==23085== by 0x80A477E: call_user_func (eval.c:21250)
      ==23085== by 0x80A51C8: call_func (eval.c:8111)
      ==23085== by 0x80A893B: get_func_tv (eval.c:7957)
      ==23085== by 0x80A6BF9: eval7 (eval.c:5013)
      ==23085== by 0x80A7564: eval6 (eval.c:4680)
      ==23085== by 0x80A77DE: eval5 (eval.c:4496)
      ==23085== by 0x80A7B41: eval4 (eval.c:4191)
      ==23085== by 0x80A847B: eval3 (eval.c:4103)
      ==23085== by 0x80A85AC: eval1 (eval.c:4032)
      ==23085== by 0x80A97CD: eval0 (eval.c:3914)
      ==23085== by 0x80A9B8C: eval_to_string (eval.c:1296)
      ==23085== by 0x80A9F6A: eval_to_string_safe (eval.c:1340)
      ==23085== by 0x8078B87: build_stl_str_hl (buffer.c:3698)
      ==23085== by 0x8178ADB: win_redr_custom (screen.c:6093)
      ==23085== by 0x8178F04: redraw_custum_statusline (screen.c:5898)
      ==23085== by 0x817B16E: win_redr_status (screen.c:5768)
      ==23085== by 0x81857A5: update_screen (screen.c:529)
      ==23085== by 0x80C4ED0: ex_redrawstatus (ex_docmd.c:8624)
      ==23085== by 0x80CE996: do_one_cmd (ex_docmd.c:2620)
      ==23085== by 0x80CCC92: do_cmdline (ex_docmd.c:1096)
      ==23085== by 0x80A477E: call_user_func (eval.c:21250)
      ==23085== by 0x80A51C8: call_func (eval.c:8111)
      ==23085== Address 0x5acf6fd is 13 bytes inside a block of size 15 free'd
      ==23085== at 0x4024E5A: free (vg_replace_malloc.c:323)
      ==23085== by 0x8157129: set_string_option_direct (option.c:5359)
      ==23085== by 0x8178F46: redraw_custum_statusline (screen.c:5900)
      ==23085== by 0x817B16E: win_redr_status (screen.c:5768)
      ==23085== by 0x81857A5: update_screen (screen.c:529)
      ==23085== by 0x80C4ED0: ex_redrawstatus (ex_docmd.c:8624)
      ==23085== by 0x80CE996: do_one_cmd (ex_docmd.c:2620)
      ==23085== by 0x80CCC92: do_cmdline (ex_docmd.c:1096)
      ==23085== by 0x80A477E: call_user_func (eval.c:21250)
      ==23085== by 0x80A51C8: call_func (eval.c:8111)
      ==23085== by 0x80A893B: get_func_tv (eval.c:7957)
      ==23085== by 0x80A6BF9: eval7 (eval.c:5013)
      ==23085== by 0x80A7564: eval6 (eval.c:4680)
      ==23085== by 0x80A77DE: eval5 (eval.c:4496)
      ==23085== by 0x80A7B41: eval4 (eval.c:4191)
      ==23085== by 0x80A847B: eval3 (eval.c:4103)
      ==23085== by 0x80A85AC: eval1 (eval.c:4032)
      ==23085== by 0x80A97CD: eval0 (eval.c:3914)
      ==23085== by 0x80A9B8C: eval_to_string (eval.c:1296)
      ==23085== by 0x80A9F6A: eval_to_string_safe (eval.c:1340)
      ==23085== by 0x8078B87: build_stl_str_hl (buffer.c:3698)
      ==23085== by 0x8178ADB: win_redr_custom (screen.c:6093)
      ==23085== by 0x8178F04: redraw_custum_statusline (screen.c:5898)
      ==23085== by 0x817B16E: win_redr_status (screen.c:5768)
      ==23085== by 0x81857A5: update_screen (screen.c:529)
      ==23085== by 0x80C4ED0: ex_redrawstatus (ex_docmd.c:8624)
      ==23085== by 0x80CE996: do_one_cmd (ex_docmd.c:2620)
      ==23085== by 0x80CCC92: do_cmdline (ex_docmd.c:1096)
      ==23085== by 0x80A477E: call_user_func (eval.c:21250)
      ==23085== by 0x80A51C8: call_func (eval.c:8111)

      Here is a minimalistic way to reproduce the bug:

      $ cat .vimrc-test

      set nocompatible
      set laststatus=2

      function! Foo()
      redrawstatus
      endfunction

      set statusline='%{Foo()}'

      $ valgrind vim -u .vimrc-test 2> vg.log

      Then observe the errors in vg.log

      I'm using vim-7.2.191 on Linux.
      Attached patch fixes it.

      -- Dominique

      --~--~---------~--~----~------------~-------~--~----~
      You received this message from the "vim_dev" maillist.
      For more information, visit http://www.vim.org/maillist.php
      -~----------~----~----~----~------~----~------~--~---
    • Bram Moolenaar
      ... Thanks, I ll put it in the todo list. -- The fastest way to get an engineer to solve a problem is to declare that the problem is unsolvable. No engineer
      Message 2 of 2 , Jun 1, 2009
      • 0 Attachment
        Dominique Pelle wrote:

        > Vim is using freed memory when invoking ":redrawstatus"
        > while redrawing the statusline:
        >
        > ==23085== Invalid read of size 1
        > ==23085== at 0x80773FB: build_stl_str_hl (buffer.c:3441)
        > ==23085== by 0x8178ADB: win_redr_custom (screen.c:6093)
        > ==23085== by 0x8178F04: redraw_custum_statusline (screen.c:5898)
        > ==23085== by 0x817B16E: win_redr_status (screen.c:5768)
        > ==23085== by 0x81857A5: update_screen (screen.c:529)
        > ==23085== by 0x80C4ED0: ex_redrawstatus (ex_docmd.c:8624)
        > ==23085== by 0x80CE996: do_one_cmd (ex_docmd.c:2620)
        > ==23085== by 0x80CCC92: do_cmdline (ex_docmd.c:1096)
        > ==23085== by 0x80A477E: call_user_func (eval.c:21250)
        > ==23085== by 0x80A51C8: call_func (eval.c:8111)
        > ==23085== by 0x80A893B: get_func_tv (eval.c:7957)
        > ==23085== by 0x80A6BF9: eval7 (eval.c:5013)
        > ==23085== by 0x80A7564: eval6 (eval.c:4680)
        > ==23085== by 0x80A77DE: eval5 (eval.c:4496)
        > ==23085== by 0x80A7B41: eval4 (eval.c:4191)
        > ==23085== by 0x80A847B: eval3 (eval.c:4103)
        > ==23085== by 0x80A85AC: eval1 (eval.c:4032)
        > ==23085== by 0x80A97CD: eval0 (eval.c:3914)
        > ==23085== by 0x80A9B8C: eval_to_string (eval.c:1296)
        > ==23085== by 0x80A9F6A: eval_to_string_safe (eval.c:1340)
        > ==23085== by 0x8078B87: build_stl_str_hl (buffer.c:3698)
        > ==23085== by 0x8178ADB: win_redr_custom (screen.c:6093)
        > ==23085== by 0x8178F04: redraw_custum_statusline (screen.c:5898)
        > ==23085== by 0x817B16E: win_redr_status (screen.c:5768)
        > ==23085== by 0x81857A5: update_screen (screen.c:529)
        > ==23085== by 0x80C4ED0: ex_redrawstatus (ex_docmd.c:8624)
        > ==23085== by 0x80CE996: do_one_cmd (ex_docmd.c:2620)
        > ==23085== by 0x80CCC92: do_cmdline (ex_docmd.c:1096)
        > ==23085== by 0x80A477E: call_user_func (eval.c:21250)
        > ==23085== by 0x80A51C8: call_func (eval.c:8111)
        > ==23085== Address 0x5acf6fd is 13 bytes inside a block of size 15 free'd
        > ==23085== at 0x4024E5A: free (vg_replace_malloc.c:323)
        > ==23085== by 0x8157129: set_string_option_direct (option.c:5359)
        > ==23085== by 0x8178F46: redraw_custum_statusline (screen.c:5900)
        > ==23085== by 0x817B16E: win_redr_status (screen.c:5768)
        > ==23085== by 0x81857A5: update_screen (screen.c:529)
        > ==23085== by 0x80C4ED0: ex_redrawstatus (ex_docmd.c:8624)
        > ==23085== by 0x80CE996: do_one_cmd (ex_docmd.c:2620)
        > ==23085== by 0x80CCC92: do_cmdline (ex_docmd.c:1096)
        > ==23085== by 0x80A477E: call_user_func (eval.c:21250)
        > ==23085== by 0x80A51C8: call_func (eval.c:8111)
        > ==23085== by 0x80A893B: get_func_tv (eval.c:7957)
        > ==23085== by 0x80A6BF9: eval7 (eval.c:5013)
        > ==23085== by 0x80A7564: eval6 (eval.c:4680)
        > ==23085== by 0x80A77DE: eval5 (eval.c:4496)
        > ==23085== by 0x80A7B41: eval4 (eval.c:4191)
        > ==23085== by 0x80A847B: eval3 (eval.c:4103)
        > ==23085== by 0x80A85AC: eval1 (eval.c:4032)
        > ==23085== by 0x80A97CD: eval0 (eval.c:3914)
        > ==23085== by 0x80A9B8C: eval_to_string (eval.c:1296)
        > ==23085== by 0x80A9F6A: eval_to_string_safe (eval.c:1340)
        > ==23085== by 0x8078B87: build_stl_str_hl (buffer.c:3698)
        > ==23085== by 0x8178ADB: win_redr_custom (screen.c:6093)
        > ==23085== by 0x8178F04: redraw_custum_statusline (screen.c:5898)
        > ==23085== by 0x817B16E: win_redr_status (screen.c:5768)
        > ==23085== by 0x81857A5: update_screen (screen.c:529)
        > ==23085== by 0x80C4ED0: ex_redrawstatus (ex_docmd.c:8624)
        > ==23085== by 0x80CE996: do_one_cmd (ex_docmd.c:2620)
        > ==23085== by 0x80CCC92: do_cmdline (ex_docmd.c:1096)
        > ==23085== by 0x80A477E: call_user_func (eval.c:21250)
        > ==23085== by 0x80A51C8: call_func (eval.c:8111)
        >
        > Here is a minimalistic way to reproduce the bug:
        >
        > $ cat .vimrc-test
        >
        > set nocompatible
        > set laststatus=2
        >
        > function! Foo()
        > redrawstatus
        > endfunction
        >
        > set statusline='%{Foo()}'
        >
        > $ valgrind vim -u .vimrc-test 2> vg.log
        >
        > Then observe the errors in vg.log
        >
        > I'm using vim-7.2.191 on Linux.
        > Attached patch fixes it.

        Thanks, I'll put it in the todo list.

        --
        The fastest way to get an engineer to solve a problem is to declare that the
        problem is unsolvable. No engineer can walk away from an unsolvable problem
        until it's solved.
        (Scott Adams - The Dilbert principle)

        /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
        /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
        \\\ download, build and distribute -- http://www.A-A-P.org ///
        \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

        --~--~---------~--~----~------------~-------~--~----~
        You received this message from the "vim_dev" maillist.
        For more information, visit http://www.vim.org/maillist.php
        -~----------~----~----~----~------~----~------~--~---
      Your message has been successfully submitted and would be delivered to recipients shortly.