Loading ...
Sorry, an error occurred while loading the content.

Bug: read from free'd memory when jumping from a quickfix list

Expand Messages
  • LCD 47
    Scenario: (1) set a loclist: call setloclist(0, list) (2) at some point later replace the list: call setloclist(0, other_list, r ) (3) open the quickfix
    Message 1 of 6 , Jul 17, 2014
    • 0 Attachment
      Scenario:

      (1) set a loclist:

      call setloclist(0, list)

      (2) at some point later replace the list:

      call setloclist(0, other_list, 'r')

      (3) open the quickfix window

      lopen

      (4) switch to the quickfix window and press Enter to jump to an error:

      .ll

      The result is a read from free'd memory; valgrind trace included
      below. It's easy to make Vim crash from there, but the stack trace
      doesn't reveal any additional information.

      Sadly, this is not consistently reproducible. I can trigger it in
      syntastic, but I can't seem to get the same result in a simple test
      file.

      /lcd

      ==10841== Memcheck, a memory error detector
      ==10841== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
      ==10841== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
      ==10841== Command: ./vim Ejecta.js
      ==10841== Parent PID: 4692
      ==10841==
      ==10841== Invalid read of size 4
      ==10841== at 0x814C5BB: qf_jump (quickfix.c:1789)
      ==10841== by 0x814E8E0: ex_cc (quickfix.c:2996)
      ==10841== by 0x80A83B7: do_one_cmd (ex_docmd.c:2701)
      ==10841== by 0x80A5ECC: do_cmdline (ex_docmd.c:1126)
      ==10841== by 0x80A5758: do_cmdline_cmd (ex_docmd.c:731)
      ==10841== by 0x8123D48: nv_down (normal.c:6102)
      ==10841== by 0x811BD73: normal_cmd (normal.c:1156)
      ==10841== by 0x81F394B: main_loop (main.c:1326)
      ==10841== by 0x81F3307: main (main.c:1026)
      ==10841== Address 0x79110cc is 12 bytes inside a block of size 36 free'd
      ==10841== at 0x402A17C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
      ==10841== by 0x810C402: vim_free (misc2.c:1740)
      ==10841== by 0x814D1B2: qf_free (quickfix.c:2155)
      ==10841== by 0x815004E: set_errorlist (quickfix.c:3848)
      ==10841== by 0x80879E8: set_qf_ll_list (eval.c:16825)
      ==10841== by 0x8087A4B: f_setloclist (eval.c:16846)
      ==10841== by 0x807D239: call_func (eval.c:8596)
      ==10841== by 0x807CD7D: get_func_tv (eval.c:8403)
      ==10841== by 0x8076B9F: ex_call (eval.c:3487)
      ==10841== by 0x80A83B7: do_one_cmd (ex_docmd.c:2701)
      ==10841== by 0x80A5ECC: do_cmdline (ex_docmd.c:1126)
      ==10841== by 0x8091F7F: call_user_func (eval.c:23507)
      ==10841==
      ==10841== Invalid read of size 1
      ==10841== at 0x814C5C9: qf_jump (quickfix.c:1791)
      ==10841== by 0x814E8E0: ex_cc (quickfix.c:2996)
      ==10841== by 0x80A83B7: do_one_cmd (ex_docmd.c:2701)
      ==10841== by 0x80A5ECC: do_cmdline (ex_docmd.c:1126)
      ==10841== by 0x80A5758: do_cmdline_cmd (ex_docmd.c:731)
      ==10841== by 0x8123D48: nv_down (normal.c:6102)
      ==10841== by 0x811BD73: normal_cmd (normal.c:1156)
      ==10841== by 0x81F394B: main_loop (main.c:1326)
      ==10841== by 0x81F3307: main (main.c:1026)
      ==10841== Address 0x79110e2 is 34 bytes inside a block of size 36 free'd
      ==10841== at 0x402A17C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
      ==10841== by 0x810C402: vim_free (misc2.c:1740)
      ==10841== by 0x814D1B2: qf_free (quickfix.c:2155)
      ==10841== by 0x815004E: set_errorlist (quickfix.c:3848)
      ==10841== by 0x80879E8: set_qf_ll_list (eval.c:16825)
      ==10841== by 0x8087A4B: f_setloclist (eval.c:16846)
      ==10841== by 0x807D239: call_func (eval.c:8596)
      ==10841== by 0x807CD7D: get_func_tv (eval.c:8403)
      ==10841== by 0x8076B9F: ex_call (eval.c:3487)
      ==10841== by 0x80A83B7: do_one_cmd (ex_docmd.c:2701)
      ==10841== by 0x80A5ECC: do_cmdline (ex_docmd.c:1126)
      ==10841== by 0x8091F7F: call_user_func (eval.c:23507)
      ==10841==
      ==10841== Invalid read of size 4
      ==10841== at 0x814C659: qf_jump (quickfix.c:1806)
      ==10841== by 0x814E8E0: ex_cc (quickfix.c:2996)
      ==10841== by 0x80A83B7: do_one_cmd (ex_docmd.c:2701)
      ==10841== by 0x80A5ECC: do_cmdline (ex_docmd.c:1126)
      ==10841== by 0x80A5758: do_cmdline_cmd (ex_docmd.c:731)
      ==10841== by 0x8123D48: nv_down (normal.c:6102)
      ==10841== by 0x811BD73: normal_cmd (normal.c:1156)
      ==10841== by 0x81F394B: main_loop (main.c:1326)
      ==10841== by 0x81F3307: main (main.c:1026)
      ==10841== Address 0x79110cc is 12 bytes inside a block of size 36 free'd
      ==10841== at 0x402A17C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
      ==10841== by 0x810C402: vim_free (misc2.c:1740)
      ==10841== by 0x814D1B2: qf_free (quickfix.c:2155)
      ==10841== by 0x815004E: set_errorlist (quickfix.c:3848)
      ==10841== by 0x80879E8: set_qf_ll_list (eval.c:16825)
      ==10841== by 0x8087A4B: f_setloclist (eval.c:16846)
      ==10841== by 0x807D239: call_func (eval.c:8596)
      ==10841== by 0x807CD7D: get_func_tv (eval.c:8403)
      ==10841== by 0x8076B9F: ex_call (eval.c:3487)
      ==10841== by 0x80A83B7: do_one_cmd (ex_docmd.c:2701)
      ==10841== by 0x80A5ECC: do_cmdline (ex_docmd.c:1126)
      ==10841== by 0x8091F7F: call_user_func (eval.c:23507)
      ==10841==
      ==10841== Invalid read of size 4
      ==10841== at 0x814C69D: qf_jump (quickfix.c:1816)
      ==10841== by 0x814E8E0: ex_cc (quickfix.c:2996)
      ==10841== by 0x80A83B7: do_one_cmd (ex_docmd.c:2701)
      ==10841== by 0x80A5ECC: do_cmdline (ex_docmd.c:1126)
      ==10841== by 0x80A5758: do_cmdline_cmd (ex_docmd.c:731)
      ==10841== by 0x8123D48: nv_down (normal.c:6102)
      ==10841== by 0x811BD73: normal_cmd (normal.c:1156)
      ==10841== by 0x81F394B: main_loop (main.c:1326)
      ==10841== by 0x81F3307: main (main.c:1026)
      ==10841== Address 0x79110d8 is 24 bytes inside a block of size 36 free'd
      ==10841== at 0x402A17C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
      ==10841== by 0x810C402: vim_free (misc2.c:1740)
      ==10841== by 0x814D1B2: qf_free (quickfix.c:2155)
      ==10841== by 0x815004E: set_errorlist (quickfix.c:3848)
      ==10841== by 0x80879E8: set_qf_ll_list (eval.c:16825)
      ==10841== by 0x8087A4B: f_setloclist (eval.c:16846)
      ==10841== by 0x807D239: call_func (eval.c:8596)
      ==10841== by 0x807CD7D: get_func_tv (eval.c:8403)
      ==10841== by 0x8076B9F: ex_call (eval.c:3487)
      ==10841== by 0x80A83B7: do_one_cmd (ex_docmd.c:2701)
      ==10841== by 0x80A5ECC: do_cmdline (ex_docmd.c:1126)
      ==10841== by 0x8091F7F: call_user_func (eval.c:23507)
      ==10841==
      ==10841== Invalid read of size 4
      ==10841== at 0x814C6AB: qf_jump (quickfix.c:1821)
      ==10841== by 0x814E8E0: ex_cc (quickfix.c:2996)
      ==10841== by 0x80A83B7: do_one_cmd (ex_docmd.c:2701)
      ==10841== by 0x80A5ECC: do_cmdline (ex_docmd.c:1126)
      ==10841== by 0x80A5758: do_cmdline_cmd (ex_docmd.c:731)
      ==10841== by 0x8123D48: nv_down (normal.c:6102)
      ==10841== by 0x811BD73: normal_cmd (normal.c:1156)
      ==10841== by 0x81F394B: main_loop (main.c:1326)
      ==10841== by 0x81F3307: main (main.c:1026)
      ==10841== Address 0x79110c8 is 8 bytes inside a block of size 36 free'd
      ==10841== at 0x402A17C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
      ==10841== by 0x810C402: vim_free (misc2.c:1740)
      ==10841== by 0x814D1B2: qf_free (quickfix.c:2155)
      ==10841== by 0x815004E: set_errorlist (quickfix.c:3848)
      ==10841== by 0x80879E8: set_qf_ll_list (eval.c:16825)
      ==10841== by 0x8087A4B: f_setloclist (eval.c:16846)
      ==10841== by 0x807D239: call_func (eval.c:8596)
      ==10841== by 0x807CD7D: get_func_tv (eval.c:8403)
      ==10841== by 0x8076B9F: ex_call (eval.c:3487)
      ==10841== by 0x80A83B7: do_one_cmd (ex_docmd.c:2701)
      ==10841== by 0x80A5ECC: do_cmdline (ex_docmd.c:1126)
      ==10841== by 0x8091F7F: call_user_func (eval.c:23507)
      ==10841==
      ==10841== Invalid read of size 4
      ==10841== at 0x814C6DB: qf_jump (quickfix.c:1828)
      ==10841== by 0x814E8E0: ex_cc (quickfix.c:2996)
      ==10841== by 0x80A83B7: do_one_cmd (ex_docmd.c:2701)
      ==10841== by 0x80A5ECC: do_cmdline (ex_docmd.c:1126)
      ==10841== by 0x80A5758: do_cmdline_cmd (ex_docmd.c:731)
      ==10841== by 0x8123D48: nv_down (normal.c:6102)
      ==10841== by 0x811BD73: normal_cmd (normal.c:1156)
      ==10841== by 0x81F394B: main_loop (main.c:1326)
      ==10841== by 0x81F3307: main (main.c:1026)
      ==10841== Address 0x79110d0 is 16 bytes inside a block of size 36 free'd
      ==10841== at 0x402A17C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
      ==10841== by 0x810C402: vim_free (misc2.c:1740)
      ==10841== by 0x814D1B2: qf_free (quickfix.c:2155)
      ==10841== by 0x815004E: set_errorlist (quickfix.c:3848)
      ==10841== by 0x80879E8: set_qf_ll_list (eval.c:16825)
      ==10841== by 0x8087A4B: f_setloclist (eval.c:16846)
      ==10841== by 0x807D239: call_func (eval.c:8596)
      ==10841== by 0x807CD7D: get_func_tv (eval.c:8403)
      ==10841== by 0x8076B9F: ex_call (eval.c:3487)
      ==10841== by 0x80A83B7: do_one_cmd (ex_docmd.c:2701)
      ==10841== by 0x80A5ECC: do_cmdline (ex_docmd.c:1126)
      ==10841== by 0x8091F7F: call_user_func (eval.c:23507)
      ==10841==
      ==10841== Invalid read of size 4
      ==10841== at 0x814C6EE: qf_jump (quickfix.c:1830)
      ==10841== by 0x814E8E0: ex_cc (quickfix.c:2996)
      ==10841== by 0x80A83B7: do_one_cmd (ex_docmd.c:2701)
      ==10841== by 0x80A5ECC: do_cmdline (ex_docmd.c:1126)
      ==10841== by 0x80A5758: do_cmdline_cmd (ex_docmd.c:731)
      ==10841== by 0x8123D48: nv_down (normal.c:6102)
      ==10841== by 0x811BD73: normal_cmd (normal.c:1156)
      ==10841== by 0x81F394B: main_loop (main.c:1326)
      ==10841== by 0x81F3307: main (main.c:1026)
      ==10841== Address 0x79110d0 is 16 bytes inside a block of size 36 free'd
      ==10841== at 0x402A17C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
      ==10841== by 0x810C402: vim_free (misc2.c:1740)
      ==10841== by 0x814D1B2: qf_free (quickfix.c:2155)
      ==10841== by 0x815004E: set_errorlist (quickfix.c:3848)
      ==10841== by 0x80879E8: set_qf_ll_list (eval.c:16825)
      ==10841== by 0x8087A4B: f_setloclist (eval.c:16846)
      ==10841== by 0x807D239: call_func (eval.c:8596)
      ==10841== by 0x807CD7D: get_func_tv (eval.c:8403)
      ==10841== by 0x8076B9F: ex_call (eval.c:3487)
      ==10841== by 0x80A83B7: do_one_cmd (ex_docmd.c:2701)
      ==10841== by 0x80A5ECC: do_cmdline (ex_docmd.c:1126)
      ==10841== by 0x8091F7F: call_user_func (eval.c:23507)
      ==10841==
      ==10841== Invalid read of size 1
      ==10841== at 0x814C6F8: qf_jump (quickfix.c:1831)
      ==10841== by 0x814E8E0: ex_cc (quickfix.c:2996)
      ==10841== by 0x80A83B7: do_one_cmd (ex_docmd.c:2701)
      ==10841== by 0x80A5ECC: do_cmdline (ex_docmd.c:1126)
      ==10841== by 0x80A5758: do_cmdline_cmd (ex_docmd.c:731)
      ==10841== by 0x8123D48: nv_down (normal.c:6102)
      ==10841== by 0x811BD73: normal_cmd (normal.c:1156)
      ==10841== by 0x81F394B: main_loop (main.c:1326)
      ==10841== by 0x81F3307: main (main.c:1026)
      ==10841== Address 0x79110e0 is 32 bytes inside a block of size 36 free'd
      ==10841== at 0x402A17C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
      ==10841== by 0x810C402: vim_free (misc2.c:1740)
      ==10841== by 0x814D1B2: qf_free (quickfix.c:2155)
      ==10841== by 0x815004E: set_errorlist (quickfix.c:3848)
      ==10841== by 0x80879E8: set_qf_ll_list (eval.c:16825)
      ==10841== by 0x8087A4B: f_setloclist (eval.c:16846)
      ==10841== by 0x807D239: call_func (eval.c:8596)
      ==10841== by 0x807CD7D: get_func_tv (eval.c:8403)
      ==10841== by 0x8076B9F: ex_call (eval.c:3487)
      ==10841== by 0x80A83B7: do_one_cmd (ex_docmd.c:2701)
      ==10841== by 0x80A5ECC: do_cmdline (ex_docmd.c:1126)
      ==10841== by 0x8091F7F: call_user_func (eval.c:23507)
      ==10841==
      ==10841==
      ==10841== HEAP SUMMARY:
      ==10841== in use at exit: 2,717,034 bytes in 65,496 blocks
      ==10841== total heap usage: 446,641 allocs, 381,145 frees, 212,361,803 bytes allocated
      ==10841==
      ==10841== LEAK SUMMARY:
      ==10841== definitely lost: 3,456 bytes in 6 blocks
      ==10841== indirectly lost: 0 bytes in 0 blocks
      ==10841== possibly lost: 1,170,341 bytes in 31,976 blocks
      ==10841== still reachable: 1,543,237 bytes in 33,514 blocks
      ==10841== suppressed: 0 bytes in 0 blocks
      ==10841== Rerun with --leak-check=full to see details of leaked memory
      ==10841==
      ==10841== For counts of detected and suppressed errors, rerun with: -v
      ==10841== ERROR SUMMARY: 8 errors from 8 contexts (suppressed: 0 from 0)

      --
      --
      You received this message from the "vim_dev" maillist.
      Do not top-post! Type your reply below the text you are replying to.
      For more information, visit http://www.vim.org/maillist.php

      ---
      You received this message because you are subscribed to the Google Groups "vim_dev" group.
      To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
      For more options, visit https://groups.google.com/d/optout.
    • Bram Moolenaar
      ... Thanks for the valgrind log. I m not sure I ll be able to pinpoint the problem, I ll add a note in the todo list. -- A disclaimer for the disclaimer: and
      Message 2 of 6 , Jul 17, 2014
      • 0 Attachment
        Lcd wrote:

        > Scenario:
        >
        > (1) set a loclist:
        >
        > call setloclist(0, list)
        >
        > (2) at some point later replace the list:
        >
        > call setloclist(0, other_list, 'r')
        >
        > (3) open the quickfix window
        >
        > lopen
        >
        > (4) switch to the quickfix window and press Enter to jump to an error:
        >
        > .ll
        >
        > The result is a read from free'd memory; valgrind trace included
        > below. It's easy to make Vim crash from there, but the stack trace
        > doesn't reveal any additional information.
        >
        > Sadly, this is not consistently reproducible. I can trigger it in
        > syntastic, but I can't seem to get the same result in a simple test
        > file.

        Thanks for the valgrind log. I'm not sure I'll be able to pinpoint the
        problem, I'll add a note in the todo list.


        --
        A disclaimer for the disclaimer:
        "and before I get a huge amount of complaints , I have no control over the
        disclaimer at the end of this mail :-)" (Timothy Aldrich)

        /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
        /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
        \\\ an exciting new programming language -- http://www.Zimbu.org ///
        \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

        --
        --
        You received this message from the "vim_dev" maillist.
        Do not top-post! Type your reply below the text you are replying to.
        For more information, visit http://www.vim.org/maillist.php

        ---
        You received this message because you are subscribed to the Google Groups "vim_dev" group.
        To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
        For more options, visit https://groups.google.com/d/optout.
      • Bram Moolenaar
        ... I have sent out patch 7.4.379. Can you check that this fixes the problem? -- If all you have is a hammer, everything looks like a nail. When your hammer
        Message 3 of 6 , Jul 23, 2014
        • 0 Attachment
          Lcd wrote:

          > Scenario:
          >
          > (1) set a loclist:
          >
          > call setloclist(0, list)
          >
          > (2) at some point later replace the list:
          >
          > call setloclist(0, other_list, 'r')
          >
          > (3) open the quickfix window
          >
          > lopen
          >
          > (4) switch to the quickfix window and press Enter to jump to an error:
          >
          > .ll
          >
          > The result is a read from free'd memory; valgrind trace included
          > below. It's easy to make Vim crash from there, but the stack trace
          > doesn't reveal any additional information.
          >
          > Sadly, this is not consistently reproducible. I can trigger it in
          > syntastic, but I can't seem to get the same result in a simple test
          > file.

          I have sent out patch 7.4.379. Can you check that this fixes the
          problem?


          --
          If all you have is a hammer, everything looks like a nail.
          When your hammer is C++, everything begins to look like a thumb.
          -- Steve Hoflich, comp.lang.c++

          /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
          /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
          \\\ an exciting new programming language -- http://www.Zimbu.org ///
          \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

          --
          --
          You received this message from the "vim_dev" maillist.
          Do not top-post! Type your reply below the text you are replying to.
          For more information, visit http://www.vim.org/maillist.php

          ---
          You received this message because you are subscribed to the Google Groups "vim_dev" group.
          To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
          For more options, visit https://groups.google.com/d/optout.
        • LCD 47
          ... That was something I tried too, but it doesn t work; new valgrind trace included below. However, try as I might I can t reproduce the problem in a simpler
          Message 4 of 6 , Jul 23, 2014
          • 0 Attachment
            On 23 July 2014, Bram Moolenaar <Bram@...> wrote:
            >
            > Lcd wrote:
            >
            > > Scenario:
            > >
            > > (1) set a loclist:
            > >
            > > call setloclist(0, list)
            > >
            > > (2) at some point later replace the list:
            > >
            > > call setloclist(0, other_list, 'r')
            > >
            > > (3) open the quickfix window
            > >
            > > lopen
            > >
            > > (4) switch to the quickfix window and press Enter to jump to an error:
            > >
            > > .ll
            > >
            > > The result is a read from free'd memory; valgrind trace included
            > > below. It's easy to make Vim crash from there, but the stack trace
            > > doesn't reveal any additional information.
            > >
            > > Sadly, this is not consistently reproducible. I can trigger it
            > > in syntastic, but I can't seem to get the same result in a simple
            > > test file.
            >
            > I have sent out patch 7.4.379. Can you check that this fixes the
            > problem?

            That was something I tried too, but it doesn't work; new valgrind
            trace included below.

            However, try as I might I can't reproduce the problem in a simpler
            setup, and that suggests the bug might be completely unrelated to
            setloclist(). The closest approximation of a rational explanation that
            I have so far is a scenario I accidentally run into yesterday, involving
            calling a void function in a non-void context. E.g.:

            function! s:foo()
            let var = 1
            endfunction

            if s:foo()
            " do something
            endif

            That happened because I deleted the return statement in s:foo()
            while refactoring it. To my surprise Vim didn't complain. My script
            jumped at some ranmdom place, but otherwise happily went on. I'm not
            familiar enough with the code to attempt a fix to that.

            /lcd


            ==00:00:00:00.000 21465== Memcheck, a memory error detector
            ==00:00:00:00.000 21465== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
            ==00:00:00:00.000 21465== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
            ==00:00:00:00.000 21465== Command: ./vim Ejecta.js
            ==00:00:00:00.000 21465== Parent PID: 10413
            ==00:00:00:00.000 21465==
            ==00:00:00:22.696 21465== Invalid read of size 4
            ==00:00:00:22.696 21465== at 0x814C5FD: qf_jump (quickfix.c:1798)
            ==00:00:00:22.696 21465== by 0x814E93C: ex_cc (quickfix.c:3006)
            ==00:00:00:22.696 21465== by 0x80A83CB: do_one_cmd (ex_docmd.c:2701)
            ==00:00:00:22.696 21465== by 0x80A5EE0: do_cmdline (ex_docmd.c:1126)
            ==00:00:00:22.696 21465== by 0x80A576C: do_cmdline_cmd (ex_docmd.c:731)
            ==00:00:00:22.696 21465== by 0x8123D70: nv_down (normal.c:6106)
            ==00:00:00:22.696 21465== by 0x811BD9B: normal_cmd (normal.c:1160)
            ==00:00:00:22.696 21465== by 0x81F3ADE: main_loop (main.c:1326)
            ==00:00:00:22.696 21465== by 0x81F349A: main (main.c:1026)
            ==00:00:00:22.696 21465== Address 0xbe30e54 is 12 bytes inside a block of size 36 free'd
            ==00:00:00:22.696 21465== at 0x402A17C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
            ==00:00:00:22.696 21465== by 0x810C416: vim_free (misc2.c:1740)
            ==00:00:00:22.696 21465== by 0x814D1F4: qf_free (quickfix.c:2164)
            ==00:00:00:22.696 21465== by 0x81500AD: set_errorlist (quickfix.c:3859)
            ==00:00:00:22.696 21465== by 0x80879FC: set_qf_ll_list (eval.c:16825)
            ==00:00:00:22.696 21465== by 0x8087A5F: f_setloclist (eval.c:16846)
            ==00:00:00:22.696 21465== by 0x807D24D: call_func (eval.c:8596)
            ==00:00:00:22.696 21465== by 0x807CD91: get_func_tv (eval.c:8403)
            ==00:00:00:22.696 21465== by 0x8076BB3: ex_call (eval.c:3487)
            ==00:00:00:22.696 21465== by 0x80A83CB: do_one_cmd (ex_docmd.c:2701)
            ==00:00:00:22.696 21465== by 0x80A5EE0: do_cmdline (ex_docmd.c:1126)
            ==00:00:00:22.696 21465== by 0x8091F93: call_user_func (eval.c:23507)
            ==00:00:00:22.696 21465== by 0x807D13C: call_func (eval.c:8567)
            ==00:00:00:22.696 21465== by 0x807CD91: get_func_tv (eval.c:8403)
            ==00:00:00:22.696 21465== by 0x8076BB3: ex_call (eval.c:3487)
            ==00:00:00:22.696 21465== by 0x80A83CB: do_one_cmd (ex_docmd.c:2701)
            ==00:00:00:22.696 21465== by 0x80A5EE0: do_cmdline (ex_docmd.c:1126)
            ==00:00:00:22.696 21465== by 0x8091F93: call_user_func (eval.c:23507)
            ==00:00:00:22.696 21465== by 0x807D13C: call_func (eval.c:8567)
            ==00:00:00:22.696 21465== by 0x807CD91: get_func_tv (eval.c:8403)
            ==00:00:00:22.696 21465==
            ==00:00:00:22.698 21465== Invalid read of size 1
            ==00:00:00:22.698 21465== at 0x814C60B: qf_jump (quickfix.c:1800)
            ==00:00:00:22.698 21465== by 0x814E93C: ex_cc (quickfix.c:3006)
            ==00:00:00:22.698 21465== by 0x80A83CB: do_one_cmd (ex_docmd.c:2701)
            ==00:00:00:22.698 21465== by 0x80A5EE0: do_cmdline (ex_docmd.c:1126)
            ==00:00:00:22.698 21465== by 0x80A576C: do_cmdline_cmd (ex_docmd.c:731)
            ==00:00:00:22.698 21465== by 0x8123D70: nv_down (normal.c:6106)
            ==00:00:00:22.698 21465== by 0x811BD9B: normal_cmd (normal.c:1160)
            ==00:00:00:22.698 21465== by 0x81F3ADE: main_loop (main.c:1326)
            ==00:00:00:22.698 21465== by 0x81F349A: main (main.c:1026)
            ==00:00:00:22.698 21465== Address 0xbe30e6a is 34 bytes inside a block of size 36 free'd
            ==00:00:00:22.698 21465== at 0x402A17C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
            ==00:00:00:22.698 21465== by 0x810C416: vim_free (misc2.c:1740)
            ==00:00:00:22.698 21465== by 0x814D1F4: qf_free (quickfix.c:2164)
            ==00:00:00:22.698 21465== by 0x81500AD: set_errorlist (quickfix.c:3859)
            ==00:00:00:22.698 21465== by 0x80879FC: set_qf_ll_list (eval.c:16825)
            ==00:00:00:22.698 21465== by 0x8087A5F: f_setloclist (eval.c:16846)
            ==00:00:00:22.698 21465== by 0x807D24D: call_func (eval.c:8596)
            ==00:00:00:22.698 21465== by 0x807CD91: get_func_tv (eval.c:8403)
            ==00:00:00:22.698 21465== by 0x8076BB3: ex_call (eval.c:3487)
            ==00:00:00:22.698 21465== by 0x80A83CB: do_one_cmd (ex_docmd.c:2701)
            ==00:00:00:22.698 21465== by 0x80A5EE0: do_cmdline (ex_docmd.c:1126)
            ==00:00:00:22.698 21465== by 0x8091F93: call_user_func (eval.c:23507)
            ==00:00:00:22.698 21465== by 0x807D13C: call_func (eval.c:8567)
            ==00:00:00:22.698 21465== by 0x807CD91: get_func_tv (eval.c:8403)
            ==00:00:00:22.698 21465== by 0x8076BB3: ex_call (eval.c:3487)
            ==00:00:00:22.698 21465== by 0x80A83CB: do_one_cmd (ex_docmd.c:2701)
            ==00:00:00:22.698 21465== by 0x80A5EE0: do_cmdline (ex_docmd.c:1126)
            ==00:00:00:22.698 21465== by 0x8091F93: call_user_func (eval.c:23507)
            ==00:00:00:22.698 21465== by 0x807D13C: call_func (eval.c:8567)
            ==00:00:00:22.698 21465== by 0x807CD91: get_func_tv (eval.c:8403)
            ==00:00:00:22.698 21465==
            ==00:00:00:22.700 21465== Invalid read of size 4
            ==00:00:00:22.700 21465== at 0x814C69B: qf_jump (quickfix.c:1815)
            ==00:00:00:22.700 21465== by 0x814E93C: ex_cc (quickfix.c:3006)
            ==00:00:00:22.700 21465== by 0x80A83CB: do_one_cmd (ex_docmd.c:2701)
            ==00:00:00:22.700 21465== by 0x80A5EE0: do_cmdline (ex_docmd.c:1126)
            ==00:00:00:22.700 21465== by 0x80A576C: do_cmdline_cmd (ex_docmd.c:731)
            ==00:00:00:22.700 21465== by 0x8123D70: nv_down (normal.c:6106)
            ==00:00:00:22.700 21465== by 0x811BD9B: normal_cmd (normal.c:1160)
            ==00:00:00:22.700 21465== by 0x81F3ADE: main_loop (main.c:1326)
            ==00:00:00:22.700 21465== by 0x81F349A: main (main.c:1026)
            ==00:00:00:22.700 21465== Address 0xbe30e54 is 12 bytes inside a block of size 36 free'd
            ==00:00:00:22.700 21465== at 0x402A17C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
            ==00:00:00:22.700 21465== by 0x810C416: vim_free (misc2.c:1740)
            ==00:00:00:22.700 21465== by 0x814D1F4: qf_free (quickfix.c:2164)
            ==00:00:00:22.700 21465== by 0x81500AD: set_errorlist (quickfix.c:3859)
            ==00:00:00:22.700 21465== by 0x80879FC: set_qf_ll_list (eval.c:16825)
            ==00:00:00:22.700 21465== by 0x8087A5F: f_setloclist (eval.c:16846)
            ==00:00:00:22.700 21465== by 0x807D24D: call_func (eval.c:8596)
            ==00:00:00:22.700 21465== by 0x807CD91: get_func_tv (eval.c:8403)
            ==00:00:00:22.700 21465== by 0x8076BB3: ex_call (eval.c:3487)
            ==00:00:00:22.700 21465== by 0x80A83CB: do_one_cmd (ex_docmd.c:2701)
            ==00:00:00:22.700 21465== by 0x80A5EE0: do_cmdline (ex_docmd.c:1126)
            ==00:00:00:22.700 21465== by 0x8091F93: call_user_func (eval.c:23507)
            ==00:00:00:22.700 21465== by 0x807D13C: call_func (eval.c:8567)
            ==00:00:00:22.700 21465== by 0x807CD91: get_func_tv (eval.c:8403)
            ==00:00:00:22.700 21465== by 0x8076BB3: ex_call (eval.c:3487)
            ==00:00:00:22.700 21465== by 0x80A83CB: do_one_cmd (ex_docmd.c:2701)
            ==00:00:00:22.700 21465== by 0x80A5EE0: do_cmdline (ex_docmd.c:1126)
            ==00:00:00:22.700 21465== by 0x8091F93: call_user_func (eval.c:23507)
            ==00:00:00:22.700 21465== by 0x807D13C: call_func (eval.c:8567)
            ==00:00:00:22.700 21465== by 0x807CD91: get_func_tv (eval.c:8403)
            ==00:00:00:22.700 21465==
            ==00:00:00:22.703 21465== Invalid read of size 4
            ==00:00:00:22.703 21465== at 0x814C6DF: qf_jump (quickfix.c:1825)
            ==00:00:00:22.703 21465== by 0x814E93C: ex_cc (quickfix.c:3006)
            ==00:00:00:22.703 21465== by 0x80A83CB: do_one_cmd (ex_docmd.c:2701)
            ==00:00:00:22.703 21465== by 0x80A5EE0: do_cmdline (ex_docmd.c:1126)
            ==00:00:00:22.703 21465== by 0x80A576C: do_cmdline_cmd (ex_docmd.c:731)
            ==00:00:00:22.703 21465== by 0x8123D70: nv_down (normal.c:6106)
            ==00:00:00:22.703 21465== by 0x811BD9B: normal_cmd (normal.c:1160)
            ==00:00:00:22.703 21465== by 0x81F3ADE: main_loop (main.c:1326)
            ==00:00:00:22.703 21465== by 0x81F349A: main (main.c:1026)
            ==00:00:00:22.703 21465== Address 0xbe30e60 is 24 bytes inside a block of size 36 free'd
            ==00:00:00:22.703 21465== at 0x402A17C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
            ==00:00:00:22.703 21465== by 0x810C416: vim_free (misc2.c:1740)
            ==00:00:00:22.703 21465== by 0x814D1F4: qf_free (quickfix.c:2164)
            ==00:00:00:22.703 21465== by 0x81500AD: set_errorlist (quickfix.c:3859)
            ==00:00:00:22.703 21465== by 0x80879FC: set_qf_ll_list (eval.c:16825)
            ==00:00:00:22.703 21465== by 0x8087A5F: f_setloclist (eval.c:16846)
            ==00:00:00:22.703 21465== by 0x807D24D: call_func (eval.c:8596)
            ==00:00:00:22.703 21465== by 0x807CD91: get_func_tv (eval.c:8403)
            ==00:00:00:22.703 21465== by 0x8076BB3: ex_call (eval.c:3487)
            ==00:00:00:22.703 21465== by 0x80A83CB: do_one_cmd (ex_docmd.c:2701)
            ==00:00:00:22.703 21465== by 0x80A5EE0: do_cmdline (ex_docmd.c:1126)
            ==00:00:00:22.703 21465== by 0x8091F93: call_user_func (eval.c:23507)
            ==00:00:00:22.703 21465== by 0x807D13C: call_func (eval.c:8567)
            ==00:00:00:22.703 21465== by 0x807CD91: get_func_tv (eval.c:8403)
            ==00:00:00:22.703 21465== by 0x8076BB3: ex_call (eval.c:3487)
            ==00:00:00:22.703 21465== by 0x80A83CB: do_one_cmd (ex_docmd.c:2701)
            ==00:00:00:22.703 21465== by 0x80A5EE0: do_cmdline (ex_docmd.c:1126)
            ==00:00:00:22.703 21465== by 0x8091F93: call_user_func (eval.c:23507)
            ==00:00:00:22.703 21465== by 0x807D13C: call_func (eval.c:8567)
            ==00:00:00:22.703 21465== by 0x807CD91: get_func_tv (eval.c:8403)
            ==00:00:00:22.703 21465==
            ==00:00:00:22.704 21465== Invalid read of size 4
            ==00:00:00:22.704 21465== at 0x814C6ED: qf_jump (quickfix.c:1830)
            ==00:00:00:22.704 21465== by 0x814E93C: ex_cc (quickfix.c:3006)
            ==00:00:00:22.704 21465== by 0x80A83CB: do_one_cmd (ex_docmd.c:2701)
            ==00:00:00:22.704 21465== by 0x80A5EE0: do_cmdline (ex_docmd.c:1126)
            ==00:00:00:22.704 21465== by 0x80A576C: do_cmdline_cmd (ex_docmd.c:731)
            ==00:00:00:22.704 21465== by 0x8123D70: nv_down (normal.c:6106)
            ==00:00:00:22.704 21465== by 0x811BD9B: normal_cmd (normal.c:1160)
            ==00:00:00:22.704 21465== by 0x81F3ADE: main_loop (main.c:1326)
            ==00:00:00:22.704 21465== by 0x81F349A: main (main.c:1026)
            ==00:00:00:22.704 21465== Address 0xbe30e50 is 8 bytes inside a block of size 36 free'd
            ==00:00:00:22.705 21465== at 0x402A17C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
            ==00:00:00:22.705 21465== by 0x810C416: vim_free (misc2.c:1740)
            ==00:00:00:22.705 21465== by 0x814D1F4: qf_free (quickfix.c:2164)
            ==00:00:00:22.705 21465== by 0x81500AD: set_errorlist (quickfix.c:3859)
            ==00:00:00:22.705 21465== by 0x80879FC: set_qf_ll_list (eval.c:16825)
            ==00:00:00:22.705 21465== by 0x8087A5F: f_setloclist (eval.c:16846)
            ==00:00:00:22.705 21465== by 0x807D24D: call_func (eval.c:8596)
            ==00:00:00:22.705 21465== by 0x807CD91: get_func_tv (eval.c:8403)
            ==00:00:00:22.705 21465== by 0x8076BB3: ex_call (eval.c:3487)
            ==00:00:00:22.705 21465== by 0x80A83CB: do_one_cmd (ex_docmd.c:2701)
            ==00:00:00:22.705 21465== by 0x80A5EE0: do_cmdline (ex_docmd.c:1126)
            ==00:00:00:22.705 21465== by 0x8091F93: call_user_func (eval.c:23507)
            ==00:00:00:22.705 21465== by 0x807D13C: call_func (eval.c:8567)
            ==00:00:00:22.705 21465== by 0x807CD91: get_func_tv (eval.c:8403)
            ==00:00:00:22.705 21465== by 0x8076BB3: ex_call (eval.c:3487)
            ==00:00:00:22.705 21465== by 0x80A83CB: do_one_cmd (ex_docmd.c:2701)
            ==00:00:00:22.705 21465== by 0x80A5EE0: do_cmdline (ex_docmd.c:1126)
            ==00:00:00:22.705 21465== by 0x8091F93: call_user_func (eval.c:23507)
            ==00:00:00:22.705 21465== by 0x807D13C: call_func (eval.c:8567)
            ==00:00:00:22.705 21465== by 0x807CD91: get_func_tv (eval.c:8403)
            ==00:00:00:22.705 21465==
            ==00:00:00:22.706 21465== Invalid read of size 4
            ==00:00:00:22.706 21465== at 0x814C71D: qf_jump (quickfix.c:1837)
            ==00:00:00:22.706 21465== by 0x814E93C: ex_cc (quickfix.c:3006)
            ==00:00:00:22.706 21465== by 0x80A83CB: do_one_cmd (ex_docmd.c:2701)
            ==00:00:00:22.706 21465== by 0x80A5EE0: do_cmdline (ex_docmd.c:1126)
            ==00:00:00:22.706 21465== by 0x80A576C: do_cmdline_cmd (ex_docmd.c:731)
            ==00:00:00:22.707 21465== by 0x8123D70: nv_down (normal.c:6106)
            ==00:00:00:22.707 21465== by 0x811BD9B: normal_cmd (normal.c:1160)
            ==00:00:00:22.707 21465== by 0x81F3ADE: main_loop (main.c:1326)
            ==00:00:00:22.707 21465== by 0x81F349A: main (main.c:1026)
            ==00:00:00:22.707 21465== Address 0xbe30e58 is 16 bytes inside a block of size 36 free'd
            ==00:00:00:22.707 21465== at 0x402A17C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
            ==00:00:00:22.707 21465== by 0x810C416: vim_free (misc2.c:1740)
            ==00:00:00:22.707 21465== by 0x814D1F4: qf_free (quickfix.c:2164)
            ==00:00:00:22.707 21465== by 0x81500AD: set_errorlist (quickfix.c:3859)
            ==00:00:00:22.707 21465== by 0x80879FC: set_qf_ll_list (eval.c:16825)
            ==00:00:00:22.707 21465== by 0x8087A5F: f_setloclist (eval.c:16846)
            ==00:00:00:22.707 21465== by 0x807D24D: call_func (eval.c:8596)
            ==00:00:00:22.707 21465== by 0x807CD91: get_func_tv (eval.c:8403)
            ==00:00:00:22.707 21465== by 0x8076BB3: ex_call (eval.c:3487)
            ==00:00:00:22.707 21465== by 0x80A83CB: do_one_cmd (ex_docmd.c:2701)
            ==00:00:00:22.707 21465== by 0x80A5EE0: do_cmdline (ex_docmd.c:1126)
            ==00:00:00:22.707 21465== by 0x8091F93: call_user_func (eval.c:23507)
            ==00:00:00:22.707 21465== by 0x807D13C: call_func (eval.c:8567)
            ==00:00:00:22.707 21465== by 0x807CD91: get_func_tv (eval.c:8403)
            ==00:00:00:22.707 21465== by 0x8076BB3: ex_call (eval.c:3487)
            ==00:00:00:22.707 21465== by 0x80A83CB: do_one_cmd (ex_docmd.c:2701)
            ==00:00:00:22.707 21465== by 0x80A5EE0: do_cmdline (ex_docmd.c:1126)
            ==00:00:00:22.707 21465== by 0x8091F93: call_user_func (eval.c:23507)
            ==00:00:00:22.707 21465== by 0x807D13C: call_func (eval.c:8567)
            ==00:00:00:22.707 21465== by 0x807CD91: get_func_tv (eval.c:8403)
            ==00:00:00:22.707 21465==
            ==00:00:00:22.708 21465== Invalid read of size 4
            ==00:00:00:22.708 21465== at 0x814C730: qf_jump (quickfix.c:1839)
            ==00:00:00:22.708 21465== by 0x814E93C: ex_cc (quickfix.c:3006)
            ==00:00:00:22.708 21465== by 0x80A83CB: do_one_cmd (ex_docmd.c:2701)
            ==00:00:00:22.708 21465== by 0x80A5EE0: do_cmdline (ex_docmd.c:1126)
            ==00:00:00:22.708 21465== by 0x80A576C: do_cmdline_cmd (ex_docmd.c:731)
            ==00:00:00:22.708 21465== by 0x8123D70: nv_down (normal.c:6106)
            ==00:00:00:22.708 21465== by 0x811BD9B: normal_cmd (normal.c:1160)
            ==00:00:00:22.709 21465== by 0x81F3ADE: main_loop (main.c:1326)
            ==00:00:00:22.709 21465== by 0x81F349A: main (main.c:1026)
            ==00:00:00:22.709 21465== Address 0xbe30e58 is 16 bytes inside a block of size 36 free'd
            ==00:00:00:22.709 21465== at 0x402A17C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
            ==00:00:00:22.709 21465== by 0x810C416: vim_free (misc2.c:1740)
            ==00:00:00:22.709 21465== by 0x814D1F4: qf_free (quickfix.c:2164)
            ==00:00:00:22.709 21465== by 0x81500AD: set_errorlist (quickfix.c:3859)
            ==00:00:00:22.709 21465== by 0x80879FC: set_qf_ll_list (eval.c:16825)
            ==00:00:00:22.709 21465== by 0x8087A5F: f_setloclist (eval.c:16846)
            ==00:00:00:22.709 21465== by 0x807D24D: call_func (eval.c:8596)
            ==00:00:00:22.709 21465== by 0x807CD91: get_func_tv (eval.c:8403)
            ==00:00:00:22.709 21465== by 0x8076BB3: ex_call (eval.c:3487)
            ==00:00:00:22.709 21465== by 0x80A83CB: do_one_cmd (ex_docmd.c:2701)
            ==00:00:00:22.709 21465== by 0x80A5EE0: do_cmdline (ex_docmd.c:1126)
            ==00:00:00:22.709 21465== by 0x8091F93: call_user_func (eval.c:23507)
            ==00:00:00:22.709 21465== by 0x807D13C: call_func (eval.c:8567)
            ==00:00:00:22.709 21465== by 0x807CD91: get_func_tv (eval.c:8403)
            ==00:00:00:22.709 21465== by 0x8076BB3: ex_call (eval.c:3487)
            ==00:00:00:22.709 21465== by 0x80A83CB: do_one_cmd (ex_docmd.c:2701)
            ==00:00:00:22.709 21465== by 0x80A5EE0: do_cmdline (ex_docmd.c:1126)
            ==00:00:00:22.709 21465== by 0x8091F93: call_user_func (eval.c:23507)
            ==00:00:00:22.709 21465== by 0x807D13C: call_func (eval.c:8567)
            ==00:00:00:22.709 21465== by 0x807CD91: get_func_tv (eval.c:8403)
            ==00:00:00:22.709 21465==
            ==00:00:00:22.710 21465== Invalid read of size 1
            ==00:00:00:22.710 21465== at 0x814C73A: qf_jump (quickfix.c:1840)
            ==00:00:00:22.710 21465== by 0x814E93C: ex_cc (quickfix.c:3006)
            ==00:00:00:22.710 21465== by 0x80A83CB: do_one_cmd (ex_docmd.c:2701)
            ==00:00:00:22.710 21465== by 0x80A5EE0: do_cmdline (ex_docmd.c:1126)
            ==00:00:00:22.710 21465== by 0x80A576C: do_cmdline_cmd (ex_docmd.c:731)
            ==00:00:00:22.710 21465== by 0x8123D70: nv_down (normal.c:6106)
            ==00:00:00:22.710 21465== by 0x811BD9B: normal_cmd (normal.c:1160)
            ==00:00:00:22.710 21465== by 0x81F3ADE: main_loop (main.c:1326)
            ==00:00:00:22.710 21465== by 0x81F349A: main (main.c:1026)
            ==00:00:00:22.710 21465== Address 0xbe30e68 is 32 bytes inside a block of size 36 free'd
            ==00:00:00:22.710 21465== at 0x402A17C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
            ==00:00:00:22.710 21465== by 0x810C416: vim_free (misc2.c:1740)
            ==00:00:00:22.710 21465== by 0x814D1F4: qf_free (quickfix.c:2164)
            ==00:00:00:22.710 21465== by 0x81500AD: set_errorlist (quickfix.c:3859)
            ==00:00:00:22.710 21465== by 0x80879FC: set_qf_ll_list (eval.c:16825)
            ==00:00:00:22.710 21465== by 0x8087A5F: f_setloclist (eval.c:16846)
            ==00:00:00:22.710 21465== by 0x807D24D: call_func (eval.c:8596)
            ==00:00:00:22.710 21465== by 0x807CD91: get_func_tv (eval.c:8403)
            ==00:00:00:22.710 21465== by 0x8076BB3: ex_call (eval.c:3487)
            ==00:00:00:22.710 21465== by 0x80A83CB: do_one_cmd (ex_docmd.c:2701)
            ==00:00:00:22.710 21465== by 0x80A5EE0: do_cmdline (ex_docmd.c:1126)
            ==00:00:00:22.710 21465== by 0x8091F93: call_user_func (eval.c:23507)
            ==00:00:00:22.710 21465== by 0x807D13C: call_func (eval.c:8567)
            ==00:00:00:22.710 21465== by 0x807CD91: get_func_tv (eval.c:8403)
            ==00:00:00:22.710 21465== by 0x8076BB3: ex_call (eval.c:3487)
            ==00:00:00:22.710 21465== by 0x80A83CB: do_one_cmd (ex_docmd.c:2701)
            ==00:00:00:22.710 21465== by 0x80A5EE0: do_cmdline (ex_docmd.c:1126)
            ==00:00:00:22.710 21465== by 0x8091F93: call_user_func (eval.c:23507)
            ==00:00:00:22.710 21465== by 0x807D13C: call_func (eval.c:8567)
            ==00:00:00:22.710 21465== by 0x807CD91: get_func_tv (eval.c:8403)
            ==00:00:00:22.710 21465==
            ==00:00:00:33.702 21465==
            ==00:00:00:33.704 21465== HEAP SUMMARY:
            ==00:00:00:33.704 21465== in use at exit: 2,763,430 bytes in 66,970 blocks
            ==00:00:00:33.704 21465== total heap usage: 483,188 allocs, 416,218 frees, 214,644,427 bytes allocated
            ==00:00:00:33.704 21465==
            ==00:00:00:33.792 21465== LEAK SUMMARY:
            ==00:00:00:33.792 21465== definitely lost: 3,456 bytes in 6 blocks
            ==00:00:00:33.792 21465== indirectly lost: 0 bytes in 0 blocks
            ==00:00:00:33.792 21465== possibly lost: 1,190,119 bytes in 32,852 blocks
            ==00:00:00:33.792 21465== still reachable: 1,569,855 bytes in 34,112 blocks
            ==00:00:00:33.792 21465== suppressed: 0 bytes in 0 blocks
            ==00:00:00:33.792 21465== Rerun with --leak-check=full to see details of leaked memory
            ==00:00:00:33.792 21465==
            ==00:00:00:33.792 21465== For counts of detected and suppressed errors, rerun with: -v
            ==00:00:00:33.792 21465== ERROR SUMMARY: 8 errors from 8 contexts (suppressed: 0 from 0)

            --
            --
            You received this message from the "vim_dev" maillist.
            Do not top-post! Type your reply below the text you are replying to.
            For more information, visit http://www.vim.org/maillist.php

            ---
            You received this message because you are subscribed to the Google Groups "vim_dev" group.
            To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
            For more options, visit https://groups.google.com/d/optout.
          • Bram Moolenaar
            ... What exactly are the arguments to ex_cc when this happens? Without knowing that the number of possibilities is too big. Can you reproduce it with a fixed
            Message 5 of 6 , Jul 23, 2014
            • 0 Attachment
              Lcd wrote:

              > > > Scenario:
              > > >
              > > > (1) set a loclist:
              > > >
              > > > call setloclist(0, list)
              > > >
              > > > (2) at some point later replace the list:
              > > >
              > > > call setloclist(0, other_list, 'r')
              > > >
              > > > (3) open the quickfix window
              > > >
              > > > lopen
              > > >
              > > > (4) switch to the quickfix window and press Enter to jump to an error:
              > > >
              > > > .ll
              > > >
              > > > The result is a read from free'd memory; valgrind trace included
              > > > below. It's easy to make Vim crash from there, but the stack trace
              > > > doesn't reveal any additional information.
              > > >
              > > > Sadly, this is not consistently reproducible. I can trigger it
              > > > in syntastic, but I can't seem to get the same result in a simple
              > > > test file.
              > >
              > > I have sent out patch 7.4.379. Can you check that this fixes the
              > > problem?
              >
              > That was something I tried too, but it doesn't work; new valgrind
              > trace included below.

              What exactly are the arguments to ex_cc when this happens? Without
              knowing that the number of possibilities is too big.

              Can you reproduce it with a fixed location list? Otherwise I can't
              reproduce the problem.

              > However, try as I might I can't reproduce the problem in a simpler
              > setup, and that suggests the bug might be completely unrelated to
              > setloclist(). The closest approximation of a rational explanation that
              > I have so far is a scenario I accidentally run into yesterday, involving
              > calling a void function in a non-void context. E.g.:
              >
              > function! s:foo()
              > let var = 1
              > endfunction
              >
              > if s:foo()
              > " do something
              > endif
              >
              > That happened because I deleted the return statement in s:foo()
              > while refactoring it. To my surprise Vim didn't complain. My script
              > jumped at some ranmdom place, but otherwise happily went on. I'm not
              > familiar enough with the code to attempt a fix to that.

              A function without a return statement should return the number zero.
              As far as I can see that is what happens in your example.

              --
              OLD WOMAN: King of the WHO?
              ARTHUR: The Britons.
              OLD WOMAN: Who are the Britons?
              "Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD

              /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
              /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
              \\\ an exciting new programming language -- http://www.Zimbu.org ///
              \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

              --
              --
              You received this message from the "vim_dev" maillist.
              Do not top-post! Type your reply below the text you are replying to.
              For more information, visit http://www.vim.org/maillist.php

              ---
              You received this message because you are subscribed to the Google Groups "vim_dev" group.
              To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
              For more options, visit https://groups.google.com/d/optout.
            • LCD 47
              ... I added some rudimentary tracing, patch attached. The output is this: ex_cexpr(): arg = err_lines , nextcmd = NULL , *cmdlinep = lgetexpr
              Message 6 of 6 , Jul 24, 2014
              • 0 Attachment
                On 23 July 2014, Bram Moolenaar <Bram@...> wrote:
                >
                > Lcd wrote:
                >
                > > > > Scenario:
                > > > >
                > > > > (1) set a loclist:
                > > > >
                > > > > call setloclist(0, list)
                > > > >
                > > > > (2) at some point later replace the list:
                > > > >
                > > > > call setloclist(0, other_list, 'r')
                > > > >
                > > > > (3) open the quickfix window
                > > > >
                > > > > lopen
                > > > >
                > > > > (4) switch to the quickfix window and press Enter to jump to an
                > > > > error:
                > > > >
                > > > > .ll
                > > > >
                > > > > The result is a read from free'd memory; valgrind trace
                > > > > included below. It's easy to make Vim crash from there, but the
                > > > > stack trace doesn't reveal any additional information.
                > > > >
                > > > > Sadly, this is not consistently reproducible. I can trigger
                > > > > it in syntastic, but I can't seem to get the same result in a
                > > > > simple test file.
                > > >
                > > > I have sent out patch 7.4.379. Can you check that this fixes the
                > > > problem?
                > >
                > > That was something I tried too, but it doesn't work; new
                > > valgrind trace included below.
                >
                > What exactly are the arguments to ex_cc when this happens?

                I added some rudimentary tracing, patch attached. The output is
                this:

                ex_cexpr(): arg = "err_lines", nextcmd = "NULL", *cmdlinep = " lgetexpr err_lines", cmdidx = 216, argt = 0x994, skip = 0, forceit = 0, addr_count = 0, line1 = 9, line2 = 9, flags = 0x0, do_ecmd_cmd = "NULL", do_ecmd_lnum = 0, append = 0, usefilter = 0, amount = 0, regname = 0, force_bin = 0, read_edit = 0, force_ff = 0, force_enc = 0, bad_char = 0, useridx = 0
                get_errorlist()
                set_errorlist(): action ' ', title = "setloclist()"
                get_errorlist()
                get_errorlist()
                get_errorlist()
                ex_cc(): arg = "", nextcmd = "NULL", *cmdlinep = ".ll", cmdidx = 220, argt = 0x4503, skip = 0, forceit = 0, addr_count = 1, line1 = 1, line2 = 1, flags = 0x0, do_ecmd_cmd = "NULL", do_ecmd_lnum = 0, append = 0, usefilter = 0, amount = 0, regname = 0, force_bin = 0, read_edit = 0, force_ff = 0, force_enc = 0, bad_char = 0, useridx = 0
                set_errorlist(): action 'r', title = "setloclist()"
                get_errorlist()
                get_errorlist()

                I'm also attaching the corresponding valgrind log.

                Perhaps also relevant: steps (1)-(3) happen from a BufWritePost
                autocmd, step (4) is done after the autocmd has finished.

                > Without knowing that the number of possibilities is too big.

                Oh, I do realise it's an useless report. I don't know how to make
                it more useful. Sorry about that. However the bug appears to be real,
                which is why I posted all this.

                > Can you reproduce it with a fixed location list? Otherwise I can't
                > reproduce the problem.
                [...]

                As I said, I can't reproduce the problem in a simpler setup. As any
                self-respecting Heisenbug, I can't even reproduce it in gdb.

                /lcd

                --
                --
                You received this message from the "vim_dev" maillist.
                Do not top-post! Type your reply below the text you are replying to.
                For more information, visit http://www.vim.org/maillist.php

                ---
                You received this message because you are subscribed to the Google Groups "vim_dev" group.
                To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
                For more options, visit https://groups.google.com/d/optout.
              Your message has been successfully submitted and would be delivered to recipients shortly.