patch 9.0.1050: using freed memory when assigning to variable twice
Problem: Using freed memory when assigning to variable twice.
Solution: Make copy of the list type. (closes #11691)
diff --git a/src/testdir/test_vim9_script.vim b/src/testdir/test_vim9_script.vim
index b6e1a89..c489ae5 100644
--- a/src/testdir/test_vim9_script.vim
+++ b/src/testdir/test_vim9_script.vim
@@ -4519,6 +4519,36 @@
endif
enddef
+def Test_free_type_before_use()
+ # this rather complicated script was freeing a type before using it
+ var lines =<< trim END
+ vim9script
+
+ def Scan(rel: list<dict<any>>): func(func(dict<any>))
+ return (Emit: func(dict<any>)) => {
+ for t in rel
+ Emit(t)
+ endfor
+ }
+ enddef
+
+ def Build(Cont: func(func(dict<any>))): list<dict<any>>
+ var rel: list<dict<any>> = []
+ Cont((t) => {
+ add(rel, t)
+ })
+ return rel
+ enddef
+
+ var R = [{A: 0}]
+ var result = Scan(R)->Build()
+ result = Scan(R)->Build()
+
+ assert_equal(R, result)
+ END
+ v9.CheckScriptSuccess(lines)
+enddef
+
" Keep this last, it messes up highlighting.
def Test_substitute_cmd()
new
diff --git a/src/version.c b/src/version.c
index 48d9250..f72d537 100644
--- a/src/version.c
+++ b/src/version.c
@@ -696,6 +696,8 @@
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 1050,
+/**/
1049,
/**/
1048,
diff --git a/src/vim9type.c b/src/vim9type.c
index f36fa5e..5d37ac5 100644
--- a/src/vim9type.c
+++ b/src/vim9type.c
@@ -403,7 +403,8 @@
if (l->lv_type != NULL && (l->lv_first == NULL
|| (flags & TVTT_MORE_SPECIFIC) == 0
|| l->lv_type->tt_member != &t_any))
- return l->lv_type;
+ // make a copy, lv_type may be freed if the list is freed
+ return copy_type(l->lv_type, type_gap);
if (l->lv_first == &range_list_item)
return &t_list_number;
if (l->lv_copyID == copyID)