Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix ConPTY double-free #5835

Closed
wants to merge 1 commit into from
Closed

Fix ConPTY double-free #5835

wants to merge 1 commit into from

Conversation

@ntak
Copy link

ntak commented Mar 23, 2020

channel_free_channel() was called twice. That's my old patch.
In some situations, vim.exe will go down.

I must reduce these mistakes consciously.

@ntak

This comment has been minimized.

Copy link
Author

ntak commented Mar 23, 2020

This is a problem report.
vim-jp/issues#1338

@mattn

This comment has been minimized.

Copy link

mattn commented Mar 24, 2020

This is not fixed. channel_clear_one call channel_parse_messages to get rest contents. It makes double-free.

https://gist.github.com/8cb49a86b74559a10bccd753785e42d3

@ntak

This comment has been minimized.

Copy link
Author

ntak commented Mar 24, 2020

That is my mistake. I forgot to point out. I'm sorry to trouble you. Correct and submit again.

@brammool

This comment has been minimized.

Copy link
Member

brammool commented Mar 24, 2020

@ntak

This comment has been minimized.

Copy link
Author

ntak commented Mar 24, 2020

My skills are not enough. There is no better way than that change.
Should I submit a new PR? Or please correct it.
I think it should have been written from the beginning.

@brammool

This comment has been minimized.

Copy link
Member

brammool commented Mar 24, 2020

Should be fixed by patch 8.2.0442

@mattn

This comment has been minimized.

Copy link

mattn commented Mar 25, 2020

Not fixed. Still crash. channel_parse_messages is called recursibly. So need to block freeing.

@brammool

This comment has been minimized.

Copy link
Member

brammool commented Mar 25, 2020

@ntak

This comment has been minimized.

Copy link
Author

ntak commented Mar 26, 2020

via channel_clear_one().
vim-jp/issues#1338 (comment)

In other words, like this ... ?

diff --git a/src/channel.c b/src/channel.c
index a57ed9ccf..b2dc78f25 100644
--- a/src/channel.c
+++ b/src/channel.c
@@ -4456,6 +4456,7 @@ channel_parse_messages(void)
 	}
 	if (channel->ch_to_be_freed || channel->ch_killing)
 	{
+	    channel->ch_killing = FALSE;
 	    channel_free_contents(channel);
 	    if (channel->ch_job != NULL)
 		channel->ch_job->jv_channel = NULL;
brammool added a commit that referenced this pull request Mar 26, 2020
Problem:    channel_parse_messages() fails when called recursively.
Solution:   Return for a recursive call. (closes #5835)
@brammool

This comment has been minimized.

Copy link
Member

brammool commented Mar 26, 2020

@ntak

This comment has been minimized.

Copy link
Author

ntak commented Mar 26, 2020

In this comment, the reporter states that the problem has been resolved.
vim-jp/issues#1338 (comment)

Repro case Japanese: "再現手順".
vim-jp/issues#1338 (comment)

I have to tell me that I never end up studying. Thank you very much.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants
You can’t perform that action at this time.