Mercurial > vim

changeset 8074:dc32c8026899 v7.4.1331

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
commit https://github.com/vim/vim/commit/d46ae142aa9452e99576b5e923de974704e3c896 Author: Bram Moolenaar <Bram@vim.org> Date: Tue Feb 16 13:33:52 2016 +0100 patch 7.4.1331 Problem: Crash when closing the channel in a callback. (Christian J. Robinson) Solution: Take the callback out of the list before invoking it.
author Christian Brabandt <cb@256bit.org>
date Tue, 16 Feb 2016 13:45:04 +0100
parents 42db5fe07958
children dadd50418275
files src/channel.c src/testdir/test_channel.vim src/version.c
diffstat 3 files changed, 39 insertions(+), 6 deletions(-) [+]
line wrap: on
line diff
--- a/src/channel.c
+++ b/src/channel.c
@@ -888,8 +888,7 @@ channel_parse_json(channel_T *channel)
 }
 
 /*
- * Remove "node" from the queue that it is in and free it.
- * Also frees the contained callback name.
+ * Remove "node" from the queue that it is in.  Does not free it.
  */
     static void
 remove_cb_node(cbq_T *head, cbq_T *node)
@@ -902,8 +901,6 @@ remove_cb_node(cbq_T *head, cbq_T *node)
 	head->cq_prev = node->cq_prev;
     else
 	node->cq_next->cq_prev = node->cq_prev;
-    vim_free(node->cq_callback);
-    vim_free(node);
 }
 
 /*
@@ -1144,8 +1141,12 @@ may_invoke_callback(channel_T *channel)
 	    if (item->cq_seq_nr == seq_nr)
 	    {
 		ch_log(channel, "Invoking one-time callback\n");
+		/* Remove the item from the list first, if the callback
+		 * invokes ch_close() the list will be cleared. */
+		remove_cb_node(head, item);
 		invoke_callback(channel, item->cq_callback, argv);
-		remove_cb_node(head, item);
+		vim_free(item->cq_callback);
+		vim_free(item);
 		done = TRUE;
 		break;
 	    }
@@ -1329,7 +1330,13 @@ channel_clear(channel_T *channel)
 	vim_free(channel_get(channel));
 
     while (cb_head->cq_next != NULL)
-	remove_cb_node(cb_head, cb_head->cq_next);
+    {
+	cbq_T *node = cb_head->cq_next;
+
+	remove_cb_node(cb_head, node);
+	vim_free(node->cq_callback);
+	vim_free(node);
+    }
 
     while (json_head->jq_next != NULL)
     {
--- a/src/testdir/test_channel.vim
+++ b/src/testdir/test_channel.vim
@@ -301,6 +301,8 @@ func Test_pipe()
   endtry
 endfunc
 
+""""""""""
+
 let s:unletResponse = ''
 func s:UnletHandler(handle, msg)
   let s:unletResponse = a:msg
@@ -319,6 +321,28 @@ func Test_unlet_handle()
   call s:run_server('s:unlet_handle')
 endfunc
 
+""""""""""
+
+let s:unletResponse = ''
+func s:CloseHandler(handle, msg)
+  let s:unletResponse = a:msg
+  call ch_close(s:channelfd)
+endfunc
+
+" Test that "unlet handle" in a handler doesn't crash Vim.
+func s:close_handle(port)
+  let s:channelfd = ch_open('localhost:' . a:port, s:chopt)
+  call ch_sendexpr(s:channelfd, "test", function('s:CloseHandler'))
+  sleep 10m
+  call assert_equal('what?', s:unletResponse)
+endfunc
+
+func Test_close_handle()
+  call s:run_server('s:close_handle')
+endfunc
+
+""""""""""
+
 func Test_open_fail()
   silent! let ch = ch_open("noserver")
   echo ch
--- a/src/version.c
+++ b/src/version.c
@@ -748,6 +748,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    1331,
+/**/
     1330,
 /**/
     1329,