[patch] fixed freeing of variable in .bss section in getchar.c

Hi

I saw the following error with Vim-7.2.284, which I can't reproduce
unfortunately:

==31786== Invalid free() / delete / delete[]
==31786==    at 0x4024E5A: free (vg_replace_malloc.c:323)
==31786==    by 0x8116582: vim_free (misc2.c:1644)
==31786==    by 0x80D4E08: free_typebuf (getchar.c:1289)
==31786==    by 0x80D4FE6: restore_typeahead (getchar.c:1350)
==31786==    by 0x80B0DCA: ex_normal (ex_docmd.c:9103)
==31786==    by 0x80A6E60: do_one_cmd (ex_docmd.c:2629)
==31786==    by 0x80A4697: do_cmdline (ex_docmd.c:1098)
==31786==    by 0x80905D0: call_user_func (eval.c:21292)
==31786==    by 0x807C72F: call_func (eval.c:8123)
==31786==    by 0x807C373: get_func_tv (eval.c:7969)
==31786==    by 0x8075D74: ex_call (eval.c:3345)
==31786==    by 0x80A6E60: do_one_cmd (ex_docmd.c:2629)
==31786==    by 0x80A4697: do_cmdline (ex_docmd.c:1098)
==31786==    by 0x80AC7DA: do_ucmd (ex_docmd.c:6059)
==31786==    by 0x80A6E37: do_one_cmd (ex_docmd.c:2620)
==31786==    by 0x80A4697: do_cmdline (ex_docmd.c:1098)
==31786==    by 0x80A3BAA: do_exmode (ex_docmd.c:655)
==31786==    by 0x812BDF4: nv_exmode (normal.c:5182)
==31786==    by 0x8125554: normal_cmd (normal.c:1188)
==31786==    by 0x80E7A84: main_loop (main.c:1204)
==31786==    by 0x80E7577: main (main.c:948)
==31786==  Address 0x82223bc is in the BSS segment of /home/pel/sb/vim7/src/vim

Looking at code of free_typebuf() in getchar.c, I see
something clearly wrong at line 1286:

1279     void
1280 free_typebuf()
1281 {
1282     if (typebuf.tb_buf == typebuf_init)
1283         EMSG2(_(e_intern2), "Free typebuf 1");
1284     else
1285         vim_free(typebuf.tb_buf);
1286     if (typebuf.tb_buf == noremapbuf_init)
1287         EMSG2(_(e_intern2), "Free typebuf 2");
1288     else
1289         vim_free(typebuf.tb_noremap);
1290 }

Test at line 1286 is meant to test typebuf.tb_noremap
and not typebuf.tb_buf.  Attached patch fixes it.

But the fix should just cause to have an error message
rather than trying to free something in .bss section.
So something else is wrong. Unfortunately, I have not
been to reproduce this error so it may be hard to track
down.  Perhaps someone can figure it out from the
above stack.

Cheers
-- Dominique

--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---

---

Index: getchar.c
===================================================================
RCS file: /cvsroot/vim/vim7/src/getchar.c,v
retrieving revision 1.57
diff -c -r1.57 getchar.c
*** getchar.c 30 Sep 2009 13:15:48 -0000 1.57
--- getchar.c 10 Nov 2009 19:08:17 -0000
***************
*** 22,28 ****
   * These buffers are used for storing:
   * - stuffed characters: A command that is translated into another command.
   * - redo characters: will redo the last change.
!  * - recorded chracters: for the "q" command.
   *
   * The bytes are stored like in the typeahead buffer:
   * - K_SPECIAL introduces a special key (two more bytes follow).  A literal
--- 22,28 ----
   * These buffers are used for storing:
   * - stuffed characters: A command that is translated into another command.
   * - redo characters: will redo the last change.
!  * - recorded characters: for the "q" command.
   *
   * The bytes are stored like in the typeahead buffer:
   * - K_SPECIAL introduces a special key (two more bytes follow).  A literal
***************
*** 1283,1289 ****
  EMSG2(_(e_intern2), "Free typebuf 1");
      else
  vim_free(typebuf.tb_buf);
!     if (typebuf.tb_buf == noremapbuf_init)
  EMSG2(_(e_intern2), "Free typebuf 2");
      else
  vim_free(typebuf.tb_noremap);
--- 1283,1289 ----
  EMSG2(_(e_intern2), "Free typebuf 1");
      else
  vim_free(typebuf.tb_buf);
!     if (typebuf.tb_noremap == noremapbuf_init)
  EMSG2(_(e_intern2), "Free typebuf 2");
      else
  vim_free(typebuf.tb_noremap);
***************
*** 1516,1522 ****
   * wanted.
   * This translates escaped K_SPECIAL and CSI bytes to a K_SPECIAL or CSI byte.
   * Collects the bytes of a multibyte character into the whole character.
!  * Returns the modifers in the global "mod_mask".
   */
      int
  vgetc()
--- 1516,1522 ----
   * wanted.
   * This translates escaped K_SPECIAL and CSI bytes to a K_SPECIAL or CSI byte.
   * Collects the bytes of a multibyte character into the whole character.
!  * Returns the modifiers in the global "mod_mask".
   */
      int
  vgetc()
***************
*** 3320,3326 ****
     retval = 1;
     goto theend;
  }
!    /* An abbrevation cannot contain white space. */
     for (n = 0; n < len; ++n)
  if (vim_iswhite(keys[n]))
  {
--- 3320,3326 ----
     retval = 1;
     goto theend;
  }
!    /* An abbreviation cannot contain white space. */
     for (n = 0; n < len; ++n)
  if (vim_iswhite(keys[n]))
  {
***************
*** 4272,4278 ****
 
      /*
       * Check for word before the cursor: If it ends in a keyword char all
!      * chars before it must be al keyword chars or non-keyword chars, but not
       * white space. If it ends in a non-keyword char we accept any characters
       * before it except white space.
       */
--- 4272,4278 ----
 
      /*
       * Check for word before the cursor: If it ends in a keyword char all
!      * chars before it must be keyword chars or non-keyword chars, but not
       * white space. If it ends in a non-keyword char we accept any characters
       * before it except white space.
       */

---

Dominique Pelle wrote:

Thanks for the fix.  But it indeed doesn't solve the problem you
encountered.

The stack shows:
        a user defined Ex command: do_ucmd()
        calling a user defined function: call_user_func()
        invoking ":normal": ex_normal()

Now there restoring typeahead fails.  Something in the ":normal" must
have caused a problem, but we can't see what it was in the stack trace.

I hope you find a way to reproduce the problem.

--
FATAL ERROR! SYSTEM HALTED! - Press any key to continue doing nothing.

 /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\        download, build and distribute -- http://www.A-A-P.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///

--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---

Bram Moolenaar wrote:

> Dominique Pelle wrote:
...

I'll add temporarily in my source tree (but not in CVS), at the
beginning of free_typebuf():

   assert(typebuf.tb_buf != typebuf_init);
   assert(typebuf.tb_noremap != noremapbuf_init);

... so that if it happens again, I'll have a core file to analyze with
gdb. Without asserts, it's too easy to not notice the errors.

Hopefully I'll then find a way to reproduce it.   Perhaps other
Vim developers can also put the asserts in case they manage
to reproduce it.

-- Dominique

--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---