patch 8.1.1485: double free when garbage_collect() is used in autocommand

brammool · brammool · commit c07f67ad0e9c · 2019-06-06T19:03:17.000+02:00
Problem:    Double free when garbage_collect() is used in autocommand.
Solution:   Have garbage collection also set the copyID in funccal_stack.
diff --git a/src/eval.c b/src/eval.c
@@ -430,12 +430,11 @@ eval_clear(void)
 	vim_free(SCRIPT_SV(i));
     ga_clear(&ga_scripts);
 
-    // functions need to be freed before gargabe collecting, otherwise local
-    // variables might be freed twice.
-    free_all_functions();
-
     // unreferenced lists and dicts
     (void)garbage_collect(FALSE);
+
+    // functions not garbage collected
+    free_all_functions();
 }
 #endif
 
diff --git a/src/userfunc.c b/src/userfunc.c
@@ -4030,11 +4030,18 @@ set_ref_in_funccal(funccall_T *fc, int copyID)
     int
 set_ref_in_call_stack(int copyID)
 {
-    int		abort = FALSE;
-    funccall_T	*fc;
+    int			abort = FALSE;
+    funccall_T		*fc;
+    funccal_entry_T	*entry;
 
     for (fc = current_funccal; fc != NULL; fc = fc->caller)
 	abort = abort || set_ref_in_funccal(fc, copyID);
+
+    // Also go through the funccal_stack.
+    for (entry = funccal_stack; entry != NULL; entry = entry->next)
+	for (fc = entry->top_funccal; fc != NULL; fc = fc->caller)
+	    abort = abort || set_ref_in_funccal(fc, copyID);
+
     return abort;
 }
 
diff --git a/src/version.c b/src/version.c
@@ -767,6 +767,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1485,
 /**/
     1484,
 /**/
