Loading ...
Sorry, an error occurred while loading the content.

Re: Issue 96 in vim: Use of memory after free when pasting in read-only file using Perforce plugin

Expand Messages
  • vim@googlecode.com
    Comment #1 on issue 96 by brammool...@gmail.com: Use of memory after free when pasting in read-only file using Perforce plugin
    Message 1 of 8 , Dec 8, 2012
    • 0 Attachment
      Comment #1 on issue 96 by brammool...@...: Use of memory after free
      when pasting in read-only file using Perforce plugin
      http://code.google.com/p/vim/issues/detail?id=96

      It's tricky that u_undo() may cause an autocommand to be executed, it could
      do just about anything and make any pointers invalid.
      Probably the best solution is to invoke u_undo() first, before calling
      get_yank_register(). It might change undo behavior a bit, perhaps only do
      it when there is an autocommand?

      --
      You received this message from the "vim_dev" maillist.
      Do not top-post! Type your reply below the text you are replying to.
      For more information, visit http://www.vim.org/maillist.php
    • vim@googlecode.com
      Comment #2 on issue 96 by dominiqu...@gmail.com: Use of memory after free when pasting in read-only file using Perforce plugin
      Message 2 of 8 , Dec 10, 2012
      • 0 Attachment
        Comment #2 on issue 96 by dominiqu...@...: Use of memory after free
        when pasting in read-only file using Perforce plugin
        http://code.google.com/p/vim/issues/detail?id=96

        I need to add that this issue has caused several crashes to me while
        working normally with Vim and Perforce plugin in the last few days. What I
        find strange is that I was working with the same setup for months without
        such crash. And in the last few days, I experienced 3 or 4 crashes. So
        something must have changed recently either to make the crash happening
        more frequently. Here is a gdb stack trace when crash happened while
        checking-out a file within Vim:


        (gdb) bt
        #0 0x00007f9f793ed707 in kill () at ../sysdeps/unix/syscall-template.S:82
        #1 0x0000000000788bd7 in may_core_dump () at os_unix.c:3166
        #2 0x00000000007889d3 in mch_exit (r=1) at os_unix.c:3132
        #3 0x0000000000a55d94 in getout (exitval=1) at main.c:1478
        #4 0x00000000006a6c66 in preserve_exit () at misc1.c:9134
        #5 0x0000000000797305 in deathtrap (sigarg=11) at os_unix.c:1097
        #6 <signal handler called>
        #7 __strlen_sse2_pminub ()
        at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:39
        #8 0x0000000000748585 in do_put (regname=43, dir=1, count=1, flags=0) at
        ops.c:3493
        #9 0x0000000000719b0d in nv_put (cap=0x7fff970b3c48) at normal.c:9463
        #10 0x00000000006fe953 in normal_cmd (oap=0x7fff970b3d08, toplevel=1) at
        normal.c:1198
        #11 0x0000000000a5692d in main_loop (cmdwin=0, noexmode=0) at main.c:1306
        #12 0x0000000000a4e9a4 in main (argc=2, argv=0x7fff970b4318) at main.c:1010
        (gdb)


        Notice that it crashes where valgrind was also complaining.

        Full stack trace:

        gdb) bt full
        #0 0x00007f9f793ed707 in kill () at ../sysdeps/unix/syscall-template.S:82
        No locals.
        #1 0x0000000000788bd7 in may_core_dump () at os_unix.c:3166
        No locals.
        #2 0x00000000007889d3 in mch_exit (r=1) at os_unix.c:3132
        No locals.
        #3 0x0000000000a55d94 in getout (exitval=1) at main.c:1478
        buf = 0x0
        wp = 0x0
        tp = 0x0
        next_tp = 0x0
        #4 0x00000000006a6c66 in preserve_exit () at misc1.c:9134
        buf = 0x0
        #5 0x0000000000797305 in deathtrap (sigarg=11) at os_unix.c:1097
        i = 7
        entered = 1
        #6 <signal handler called>
        No symbol table info available.
        #7 __strlen_sse2_pminub ()
        at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:39
        No locals.
        #8 0x0000000000748585 in do_put (regname=43, dir=1, count=1, flags=0) at
        ops.c:3493
        newp = 0x0
        oldlen = 32767
        bd = {startspaces = -1760869616, endspaces = 112, textlen = 1,
        textstart = 0x70 <Address 0x70 out of bounds>, textcol = 7026884,
        start_vcol = 0, end_vcol = 0, is_short = 0, is_MAX = 39385520,
        is_oneChar = 0, pre_whitesp = -1760874992, pre_whitesp_c = 112,
        end_char_vcols = 13413992, start_char_vcols = 0}
        indent = 0
        ptr = 0x6ffb14 "\307E\344\001"
        oldp = 0x70 <Address 0x70 out of bounds>
        yanklen = 0
        col = 1
        totlen = 0
        lnum = 46
        i = 7364200
        vcol = 32767
        delcount = -1760874976
        nr_lines = 0
        allocated = 0
        cnt = 13413992
        y_size = 1
        j = 0
        new_cursor = {lnum = 140735727480400, col = 0, coladd = 0}
        orig_indent = 0
        first_indent = 1
        y_type = 1
        incr = 0
        y_array = 0x2651050
        insert_string = 0x0
        y_width = 0
        indent_diff = 0
        lendiff = 0
        old_pos = {lnum = 10927409, col = 33, coladd = 0}
        #9 0x0000000000719b0d in nv_put (cap=0x7fff970b3c48) at normal.c:9463
        regname = 0
        reg2 = 0x0
        empty = 0
        was_visual = 0
        dir = 1
        flags = 0
        reg1 = 0x0
        #10 0x00000000006fe953 in normal_cmd (oap=0x7fff970b3d08, toplevel=1) at
        normal.c:1198
        ca = {oap = 0x7fff970b3d08, prechar = 0, cmdchar = 112, nchar = 0,
        ncharC1 = 0, ncharC2 = 0, extra_char = 0, opcount = 0, count0 = 0, count1 =
        1, arg = 0, retval = 0, searchbuf = 0x0}
        c = 112
        idx = 113
        set_prevcount = 0
        ctrl_w = 0
        old_col = 31
        need_flushbuf = 1
        old_pos = {lnum = 45, col = 31, coladd = 0}
        mapped_len = 0
        old_mapped_len = 0
        #11 0x0000000000a5692d in main_loop (cmdwin=0, noexmode=0) at main.c:1306
        oa = {op_type = 0, regname = 0, motion_type = 0, motion_force = 0,
        use_reg_one = 0, inclusive = 0, end_adjusted = 0, start = {lnum = 112, col
        = 33, coladd = 0}, end = {lnum = 112, col = 33,
        coladd = 0}, cursor_start = {lnum = 0, col = 0, coladd = 0},
        line_count = 1, empty = 0, is_VIsual = 0, block_mode = 0, start_vcol = 0,
        end_vcol = 13, prev_opcount = 0, prev_count0 = 0}
        previous_got_int = 0
        conceal_old_cursor_line = 0
        conceal_new_cursor_line = 0
        conceal_update_lines = 0
        #12 0x0000000000a4e9a4 in main (argc=2, argv=0x7fff970b4318) at main.c:1010
        fname = 0x2219b30 "NDS-poi-region.cpp"
        params = {argc = 2, argv = 0x7fff970b4318, evim_mode = 0, use_vimrc
        = 0x0, n_commands = 0, commands = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
        0x0, 0x0},
        cmds_tofree = "\000\000\000\000\000\000\000\000\000",
        n_pre_commands = 0, pre_commands = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
        0x0, 0x0}, edit_type = 1, tagname = 0x0, use_ef = 0x0,
        want_full_screen = 1, stdout_isatty = 1, term = 0x0, ask_for_key
        = 0, no_swap_file = 0, use_debug_break_level = -1, window_count = 1,
        window_layout = 0, serverArg = 0, serverName_arg = 0x0,
        serverStr = 0x0, serverStrEnc = 0x0, servername =
        0x221ce20 "VIM", diff_mode = 0}
        i = 2
        (gdb)


        --
        You received this message from the "vim_dev" maillist.
        Do not top-post! Type your reply below the text you are replying to.
        For more information, visit http://www.vim.org/maillist.php
      • vim@googlecode.com
        Comment #3 on issue 96 by dominiqu...@gmail.com: Use of memory after free when pasting in read-only file using Perforce plugin
        Message 3 of 8 , Dec 12, 2012
        • 0 Attachment
          Comment #3 on issue 96 by dominiqu...@...: Use of memory after free
          when pasting in read-only file using Perforce plugin
          http://code.google.com/p/vim/issues/detail?id=96

          I found that this bug only happens when I have this line in my ~/.virmc:

          :set clipboard=unnamedplus,autoselect,exclude:cons\|linux

          I had recently added this line in my ~/.vimrc (and then forgot about it)
          because I tried to reproduce a bug with yankring intentioned here:

          https://groups.google.com/forum/?fromgroups=#!topic/vim_dev/Hgrb2O4A7yQ

          That explains why I only started to see several crashes in the last few
          days.

          So this setting of 'clipboard' not only causes a bug with yankring (plugin
          which I'm not using) but also creates a bug with the perforce-4.1 plugin
          (plugin which I'm using).

          I'll try later when I find time to find a minimalistic ~/.vimrc to
          reproduce this bug and will try to reproduce it without any plugin if
          possible.

          --
          You received this message from the "vim_dev" maillist.
          Do not top-post! Type your reply below the text you are replying to.
          For more information, visit http://www.vim.org/maillist.php
        • vim@googlecode.com
          Updates: Status: Started Comment #4 on issue 96 by brammool...@gmail.com: Use of memory after free when pasting in read-only file using Perforce plugin
          Message 4 of 8 , Dec 12, 2012
          • 0 Attachment
            Updates:
            Status: Started

            Comment #4 on issue 96 by brammool...@...: Use of memory after free
            when pasting in read-only file using Perforce plugin
            http://code.google.com/p/vim/issues/detail?id=96

            Please check if patch 7.3.757 solves this problem.

            --
            You received this message from the "vim_dev" maillist.
            Do not top-post! Type your reply below the text you are replying to.
            For more information, visit http://www.vim.org/maillist.php
          • vim@googlecode.com
            Comment #5 on issue 96 by dominiqu...@gmail.com: Use of memory after free when pasting in read-only file using Perforce plugin
            Message 5 of 8 , Dec 12, 2012
            • 0 Attachment
              Comment #5 on issue 96 by dominiqu...@...: Use of memory after free
              when pasting in read-only file using Perforce plugin
              http://code.google.com/p/vim/issues/detail?id=96

              Bram wrote:

              > Please check if patch 7.3.757 solves this problem.

              Yes, it fixes it. Thanks!

              --
              You received this message from the "vim_dev" maillist.
              Do not top-post! Type your reply below the text you are replying to.
              For more information, visit http://www.vim.org/maillist.php
            • vim@googlecode.com
              Updates: Status: Fixed Comment #6 on issue 96 by brammool...@gmail.com: Use of memory after free when pasting in read-only file using Perforce plugin
              Message 6 of 8 , Dec 12, 2012
              • 0 Attachment
                Updates:
                Status: Fixed

                Comment #6 on issue 96 by brammool...@...: Use of memory after free
                when pasting in read-only file using Perforce plugin
                http://code.google.com/p/vim/issues/detail?id=96

                (No comment was entered for this change.)

                --
                You received this message from the "vim_dev" maillist.
                Do not top-post! Type your reply below the text you are replying to.
                For more information, visit http://www.vim.org/maillist.php
              • David Fishburn
                ... I will attempt to reproduce the issue with the YankRing, and then try it with this patch. But so far I haven t been able to reliably reproduce the crash.
                Message 7 of 8 , Dec 12, 2012
                • 0 Attachment


                  On Wed, Dec 12, 2012 at 3:02 PM, <vim@...> wrote:
                  Updates:
                          Status: Fixed

                  Comment #6 on issue 96 by brammool...@...: Use of memory after free when pasting in read-only file using Perforce plugin
                  http://code.google.com/p/vim/issues/detail?id=96


                  I will attempt to reproduce the issue with the YankRing, and then try it with this patch.  But so far I haven't been able to reliably reproduce the crash.

                  David 

                  --
                  You received this message from the "vim_dev" maillist.
                  Do not top-post! Type your reply below the text you are replying to.
                  For more information, visit http://www.vim.org/maillist.php
                Your message has been successfully submitted and would be delivered to recipients shortly.