Bug#453049: vim: crash when attempting [Tab] command completion on ~homeDir

Frank van Viegen debian at vanViegen.net
Mon Nov 26 22:50:03 UTC 2007 

Package: vim
Version: 1:7.1-138+1
Severity: normal


After starting a clean vim (vim -U NONE -u NONE), leave compatibility
mode (:set nocp) and try to [Tab]-autocomplete a user's home directory
when opening a file (:e ~x[Tab]). On the two systems I have tested it,
this consistently results in:


....*** glibc detected *** vim: double free or corruption (fasttop): 0x081ba488 ***
<----- CUT NOT-SO-HELPFUL BACKTRACE ----->
<----- CUT USELESS MEMORY MAP ----->
Vim: Caught deadly signal ABRT
Vim: Finished.
Vim: Double signal, exiting
Killed


I have recompiled and reinstalled the vim .debs using 
"DEB_BUILD_OPTIONS=nostrip,noopt" and unleashed valgrind on it, with the
following results:


==24877== Invalid free() / delete / delete[]
==24877==    at 0x402437F: free (vg_replace_malloc.c:233)
==24877==    by 0x80A246A: ExpandOne (ex_getln.c:3550)
==24877==    by 0x80A4225: nextwild (ex_getln.c:3254)
==24877==    by 0x80A65ED: getcmdline (ex_getln.c:795)
==24877==    by 0x809AF6E: do_cmdline (ex_docmd.c:995)
==24877==    by 0x80FD43E: nv_colon (normal.c:5168)
==24877==    by 0x80FFD4B: normal_cmd (normal.c:1141)
==24877==    by 0x80C9182: main_loop (main.c:1181)
==24877==    by 0x80CB782: main (main.c:940)
==24877==  Address 0x44BAD88 is 0 bytes inside a block of size 5 free'd
==24877==    at 0x402437F: free (vg_replace_malloc.c:233)
==24877==    by 0x80A2490: ExpandOne (ex_getln.c:3422)
==24877==    by 0x80E4D66: expand_env_esc (misc1.c:3697)
==24877==    by 0x80E4E86: expand_env_save_opt (misc1.c:3533)
==24877==    by 0x80E4F8B: gen_expand_wildcards (misc1.c:9157)
==24877==    by 0x80E52EF: expand_wildcards (misc1.c:8424)
==24877==    by 0x80A1963: ExpandFromContext (ex_getln.c:4329)
==24877==    by 0x80A24B8: ExpandOne (ex_getln.c:3428)
==24877==    by 0x80A4225: nextwild (ex_getln.c:3254)
==24877==    by 0x80A65ED: getcmdline (ex_getln.c:795)
==24877==    by 0x809AF6E: do_cmdline (ex_docmd.c:995)
==24877==    by 0x80FD43E: nv_colon (normal.c:5168)


At least 1:7.1-022+1, the version of the vim packages I have been using
previously, did not have this bug. I'm guessing it's a regression caused
by upstream patch 7.1.127. Not sure about the proper fix though.


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.17-2-686 (SMP w/4 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages vim depends on:
ii  libc6                     2.6.1-1+b1     GNU C Library: Shared libraries
ii  libgpmg1                  1.19.6-25      General Purpose Mouse - shared lib
ii  libncurses5               5.6+20071013-1 Shared libraries for terminal hand
ii  vim-common                1:7.1-138+1    Vi IMproved - Common files
ii  vim-runtime               1:7.1-138+1    Vi IMproved - Runtime files

vim recommends no packages.

-- no debconf information

More information about the pkg-vim-maintainers mailing list