# HG changeset patch # User Christian Brabandt # Date 1458683105 -3600 # Node ID 077706f01e80775be321450141b99e129c0b20da # Parent 5a9b6ac760cc10bb78c8cc44075c83f7736c1a4a commit https://github.com/vim/vim/commit/5f436fcf9960c95702820d5ac1b8b612995f6c04 Author: Bram Moolenaar Date: Tue Mar 22 22:34:03 2016 +0100 patch 7.4.1639 Problem: Invoking garbage collection may cause a double free. Solution: Don't free the dict in a partial when recursive is FALSE. diff --git a/src/eval.c b/src/eval.c --- a/src/eval.c +++ b/src/eval.c @@ -209,7 +209,9 @@ static hashtab_T func_hashtab; /* The names of packages that once were loaded are remembered. */ static garray_T ga_loaded = {0, 0, sizeof(char_u *), 4, NULL}; -/* list heads for garbage collection */ +/* List heads for garbage collection. Although there can be a reference loop + * from partial to dict to partial, we don't need to keep track of the partial, + * since it will get freed when the dict is unused and gets freed. */ static dict_T *first_dict = NULL; /* list of all dicts */ static list_T *first_list = NULL; /* list of all lists */ @@ -7130,9 +7132,14 @@ set_ref_in_item( list_T *ll; int abort = FALSE; - if (tv->v_type == VAR_DICT) - { - dd = tv->vval.v_dict; + if (tv->v_type == VAR_DICT || tv->v_type == VAR_PARTIAL) + { + if (tv->v_type == VAR_DICT) + dd = tv->vval.v_dict; + else if (tv->vval.v_partial != NULL) + dd = tv->vval.v_partial->pt_dict; + else + dd = NULL; if (dd != NULL && dd->dv_copyID != copyID) { /* Didn't see this dict yet. */ @@ -7184,6 +7191,32 @@ set_ref_in_item( return abort; } + static void +partial_free(partial_T *pt, int free_dict) +{ + int i; + + for (i = 0; i < pt->pt_argc; ++i) + clear_tv(&pt->pt_argv[i]); + vim_free(pt->pt_argv); + if (free_dict) + dict_unref(pt->pt_dict); + func_unref(pt->pt_name); + vim_free(pt->pt_name); + vim_free(pt); +} + +/* + * Unreference a closure: decrement the reference count and free it when it + * becomes zero. + */ + void +partial_unref(partial_T *pt) +{ + if (pt != NULL && --pt->pt_refcount <= 0) + partial_free(pt, TRUE); +} + /* * Allocate an empty header for a dictionary. */ @@ -7275,7 +7308,18 @@ dict_free( hash_remove(&d->dv_hashtab, hi); if (recurse || (di->di_tv.v_type != VAR_LIST && di->di_tv.v_type != VAR_DICT)) - clear_tv(&di->di_tv); + { + if (!recurse && di->di_tv.v_type == VAR_PARTIAL) + { + partial_T *pt = di->di_tv.vval.v_partial; + + /* We unref the partial but not the dict it refers to. */ + if (pt != NULL && --pt->pt_refcount == 0) + partial_free(pt, FALSE); + } + else + clear_tv(&di->di_tv); + } vim_free(di); --todo; } @@ -12011,31 +12055,6 @@ f_function(typval_T *argvars, typval_T * } } - static void -partial_free(partial_T *pt) -{ - int i; - - for (i = 0; i < pt->pt_argc; ++i) - clear_tv(&pt->pt_argv[i]); - vim_free(pt->pt_argv); - dict_unref(pt->pt_dict); - func_unref(pt->pt_name); - vim_free(pt->pt_name); - vim_free(pt); -} - -/* - * Unreference a closure: decrement the reference count and free it when it - * becomes zero. - */ - void -partial_unref(partial_T *pt) -{ - if (pt != NULL && --pt->pt_refcount <= 0) - partial_free(pt); -} - /* * "garbagecollect()" function */ diff --git a/src/version.c b/src/version.c --- a/src/version.c +++ b/src/version.c @@ -749,6 +749,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 1639, +/**/ 1638, /**/ 1637,