[patch] fixed freeing of variable in .bss section in getchar.c

6 views
Skip to first unread message

Dominique Pellé

unread,
Nov 10, 2009, 2:15:55 PM11/10/09
to vim_dev
Hi

I saw the following error with Vim-7.2.284, which I can't reproduce
unfortunately:

==31786== Invalid free() / delete / delete[]
==31786== at 0x4024E5A: free (vg_replace_malloc.c:323)
==31786== by 0x8116582: vim_free (misc2.c:1644)
==31786== by 0x80D4E08: free_typebuf (getchar.c:1289)
==31786== by 0x80D4FE6: restore_typeahead (getchar.c:1350)
==31786== by 0x80B0DCA: ex_normal (ex_docmd.c:9103)
==31786== by 0x80A6E60: do_one_cmd (ex_docmd.c:2629)
==31786== by 0x80A4697: do_cmdline (ex_docmd.c:1098)
==31786== by 0x80905D0: call_user_func (eval.c:21292)
==31786== by 0x807C72F: call_func (eval.c:8123)
==31786== by 0x807C373: get_func_tv (eval.c:7969)
==31786== by 0x8075D74: ex_call (eval.c:3345)
==31786== by 0x80A6E60: do_one_cmd (ex_docmd.c:2629)
==31786== by 0x80A4697: do_cmdline (ex_docmd.c:1098)
==31786== by 0x80AC7DA: do_ucmd (ex_docmd.c:6059)
==31786== by 0x80A6E37: do_one_cmd (ex_docmd.c:2620)
==31786== by 0x80A4697: do_cmdline (ex_docmd.c:1098)
==31786== by 0x80A3BAA: do_exmode (ex_docmd.c:655)
==31786== by 0x812BDF4: nv_exmode (normal.c:5182)
==31786== by 0x8125554: normal_cmd (normal.c:1188)
==31786== by 0x80E7A84: main_loop (main.c:1204)
==31786== by 0x80E7577: main (main.c:948)
==31786== Address 0x82223bc is in the BSS segment of /home/pel/sb/vim7/src/vim

Looking at code of free_typebuf() in getchar.c, I see
something clearly wrong at line 1286:

1279 void
1280 free_typebuf()
1281 {
1282 if (typebuf.tb_buf == typebuf_init)
1283 EMSG2(_(e_intern2), "Free typebuf 1");
1284 else
1285 vim_free(typebuf.tb_buf);
1286 if (typebuf.tb_buf == noremapbuf_init)
1287 EMSG2(_(e_intern2), "Free typebuf 2");
1288 else
1289 vim_free(typebuf.tb_noremap);
1290 }

Test at line 1286 is meant to test typebuf.tb_noremap
and not typebuf.tb_buf. Attached patch fixes it.

But the fix should just cause to have an error message
rather than trying to free something in .bss section.
So something else is wrong. Unfortunately, I have not
been to reproduce this error so it may be hard to track
down. Perhaps someone can figure it out from the
above stack.

Cheers
-- Dominique

fixed-free-bss-getchar.c-7.2.284.patch

Bram Moolenaar

unread,
Nov 11, 2009, 6:56:07 AM11/11/09
to Dominique Pellé, vim_dev

Dominique Pelle wrote:

Thanks for the fix. But it indeed doesn't solve the problem you
encountered.

The stack shows:
a user defined Ex command: do_ucmd()
calling a user defined function: call_user_func()
invoking ":normal": ex_normal()

Now there restoring typeahead fails. Something in the ":normal" must
have caused a problem, but we can't see what it was in the stack trace.

I hope you find a way to reproduce the problem.

--
FATAL ERROR! SYSTEM HALTED! - Press any key to continue doing nothing.

/// Bram Moolenaar -- Br...@Moolenaar.net -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ download, build and distribute -- http://www.A-A-P.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///

Dominique Pellé

unread,
Nov 11, 2009, 7:25:15 AM11/11/09
to vim_dev
Bram Moolenaar wrote:

> Dominique Pelle wrote:
...


I'll add temporarily in my source tree (but not in CVS), at the
beginning of free_typebuf():

assert(typebuf.tb_buf != typebuf_init);
assert(typebuf.tb_noremap != noremapbuf_init);

... so that if it happens again, I'll have a core file to analyze with
gdb. Without asserts, it's too easy to not notice the errors.

Hopefully I'll then find a way to reproduce it. Perhaps other
Vim developers can also put the asserts in case they manage
to reproduce it.

-- Dominique

Reply all
Reply to author
Forward
0 new messages