patch 8.1.1485: double free when garbage_collect() is used in autocommand

Problem:    Double free when garbage_collect() is used in autocommand.
Solution:   Have garbage collection also set the copyID in funccal_stack.

diff --git a/src/eval.c b/src/eval.c
index 5452f45437d7ace82641ce6eaea0e88e1b76974b..abb3b40692358459c17b6c8e4c48e08bb9c87e88 100644 (file)
--- a/src/eval.c
+++ b/src/eval.c
@@ -430,12 +430,11 @@ eval_clear(void)
        vim_free(SCRIPT_SV(i));
     ga_clear(&ga_scripts);
 
-    // functions need to be freed before gargabe collecting, otherwise local
-    // variables might be freed twice.
-    free_all_functions();
-
     // unreferenced lists and dicts
     (void)garbage_collect(FALSE);
+
+    // functions not garbage collected
+    free_all_functions();
 }
 #endif
 

diff --git a/src/userfunc.c b/src/userfunc.c
index 7abde07e354c9f1a1f739811dd6da55de015177b..3a0219af46a0538ab4be7536a4d1d1b0cfcce3f3 100644 (file)
--- a/src/userfunc.c
+++ b/src/userfunc.c
@@ -4030,11 +4030,18 @@ set_ref_in_funccal(funccall_T *fc, int copyID)
     int
 set_ref_in_call_stack(int copyID)
 {
-    int                abort = FALSE;
-    funccall_T *fc;
+    int                        abort = FALSE;
+    funccall_T         *fc;
+    funccal_entry_T    *entry;
 
     for (fc = current_funccal; fc != NULL; fc = fc->caller)
        abort = abort || set_ref_in_funccal(fc, copyID);
+
+    // Also go through the funccal_stack.
+    for (entry = funccal_stack; entry != NULL; entry = entry->next)
+       for (fc = entry->top_funccal; fc != NULL; fc = fc->caller)
+           abort = abort || set_ref_in_funccal(fc, copyID);
+
     return abort;
 }
 

diff --git a/src/version.c b/src/version.c
index bbfbfe17d7f4e0dd3b6315685aa9206c0a3c59ca..4c44f2e3cb80db86759e88001ea560c093301939 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -767,6 +767,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1485,
 /**/
     1484,
 /**/