Problem: Vim9: accessing freed memory when checking type.
Solution: Make a copy of a function type.
int vim9script = in_vim9script();
int var_in_vim9script;
int flags = flags_arg;
+ int free_tv_arg = !copy; // free tv_arg if not used
ht = find_var_ht(name, &varname);
if (ht == NULL || *varname == NUL)
dest_tv->v_lock = 0;
init_tv(tv);
}
+ free_tv_arg = FALSE;
if (vim9script && type != NULL)
{
// if the reference count is up to one. That locks only literal
// values.
item_lock(dest_tv, DICT_MAXNEST, TRUE, TRUE);
- return;
failed:
- if (!copy)
+ if (free_tv_arg)
clear_tv(tv_arg);
}
char_u *sv_name; // points into "sn_all_vars" di_key
typval_T *sv_tv; // points into "sn_vars" or "sn_all_vars" di_tv
type_T *sv_type;
+ int sv_type_allocated; // call free_type() for sv_type
int sv_const; // 0, ASSIGN_CONST or ASSIGN_FINAL
int sv_export; // "export let var = val"
};
CheckScriptSuccess(lines)
enddef
+def Test_lambda_type_allocated()
+ # Check that unreferencing a partial using a lambda can use the variable type
+ # after the lambda has been freed and does not leak memory.
+ var lines =<< trim END
+ vim9script
+
+ func MyomniFunc1(val, findstart, base)
+ return a:findstart ? 0 : []
+ endfunc
+
+ var Lambda = (a, b) => MyomniFunc1(19, a, b)
+ &omnifunc = Lambda
+ Lambda = (a, b) => MyomniFunc1(20, a, b)
+ &omnifunc = string(Lambda)
+ Lambda = (a, b) => strlen(a)
+ END
+ CheckScriptSuccess(lines)
+enddef
+
" Default arg and varargs
def MyDefVarargs(one: string, two = 'foo', ...rest: list<string>): string
var res = one .. ',' .. two
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 3771,
/**/
3770,
/**/
hashitem_T *hi;
sallvar_T *sav;
sallvar_T *sav_next;
+ int idx;
hash_lock(ht);
todo = (int)ht->ht_used;
hash_clear(ht);
hash_init(ht);
+ for (idx = 0; idx < si->sn_var_vals.ga_len; ++idx)
+ {
+ svar_T *sv = ((svar_T *)si->sn_var_vals.ga_data) + idx;
+
+ if (sv->sv_type_allocated)
+ free_type(sv->sv_type);
+ }
ga_clear(&si->sn_var_vals);
// existing commands using script variable indexes are no longer valid
{
if (*type == NULL)
*type = typval2type(tv, get_copyID(), &si->sn_type_list, do_member);
- sv->sv_type = *type;
+ if (sv->sv_type_allocated)
+ free_type(sv->sv_type);
+ if (*type != NULL && ((*type)->tt_type == VAR_FUNC
+ || (*type)->tt_type == VAR_PARTIAL))
+ {
+ // The type probably uses uf_type_list, which is cleared when the
+ // function is freed, but the script variable may keep the type.
+ // Make a copy to avoid using freed memory.
+ sv->sv_type = alloc_type(*type);
+ sv->sv_type_allocated = TRUE;
+ }
+ else
+ {
+ sv->sv_type = *type;
+ sv->sv_type_allocated = FALSE;
+ }
}
// let ex_export() know the export worked.
projects / vim / commitdiff