This bug was registered as ID3548393 which was already closed in the past.
While processing Test/3548393.vim vim parser access to memory freed by realloc().
Accessing freed memory is an obvious programming error and should be fixed.
ctags version: SVN trunk
Whether this bug is detected is depends on the implementation of malloc which you are using.
When I used malloc implementation in glibc-2.3.6, the bug was not detected, and ctags was exited normally.
Electric Fence and Valgrind can detect this.
==== How to reproduce using Electric Fence == ==
$ env EF_ALLOW_MALLOC_0=1 EF_PROTECT_FREE=1 ef ./dctags Test/3548393.vim
Electric Fence 2.2.0 Copyright (C) 1987-1999 Bruce Perens <bruce@perens.com>
/usr/bin/ef: line 20: 3379 Segmentation fault (core dumped) ( export LD_PRELOAD=libefence.so.0.0; exec $* )
$ gdb -q dctags core.3379
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `./dctags Test/3548393.vim'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib64/libefence.so.0.0...done.
Loaded symbols for /usr/lib64/libefence.so.0.0
Reading symbols from /lib64/libc.so.6...done.
Loaded symbols for /lib64/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
#0 0x000000000042da9c in parseVimLine (
line=0x2aaaab570f80 " let l:cmd = s:global_command . ' ' . l:option . 'e ' . g:Gtags_Shell_Quote_Char . a:pattern . g:Gtags_Shell_Quote_Char ") at vim.c:612
612 if (strncmp ((const char*) line, "aug", (size_t) 3) == 0)
==== How to reproduce using Valgrind == ==
$ valgrind -q ./dctags Test/3548393.vim
==3421== Invalid read of size 1
==3421== at 0x42DA9C: parseVimLine (vim.c:612)
==3421== by 0x42DB31: parseVimFile (vim.c:631)
==3421== by 0x42DCE5: findVimTags (vim.c:726)
==3421== by 0x41F880: createTagsForFile (parse.c:617)
==3421== by 0x41F930: createTagsWithFallback (parse.c:639)
==3421== by 0x41F9FA: parseFile (parse.c:666)
==3421== by 0x416BBE: createTagsForEntry (main.c:303)
==3421== by 0x416BFA: createTagsForArgs (main.c:348)
==3421== by 0x4171B1: makeTags (main.c:494)
==3421== by 0x417350: main (main.c:562)
==3421== Address 0x4a46f60 is 0 bytes inside a block of size 128 free'd
==3421== at 0x4906828: realloc (vg_replace_malloc.c:476)
==3421== by 0x4238C0: eRealloc (routines.c:263)
==3421== by 0x42DDC0: vStringResize (vstring.c:36)
==3421== by 0x42DE1D: vStringAutoResize (vstring.c:54)
==3421== by 0x42DF1F: vStringPut (vstring.c:93)
==3421== by 0x4231BC: iFileGetLine (read.c:396)
==3421== by 0x423321: fileReadLine (read.c:468)
==3421== by 0x42CC78: readVimLine (vim.c:217)
==3421== by 0x42CF27: parseFunction (vim.c:284)
==3421== by 0x42DA6A: parseVimLine (vim.c:609)
==3421== by 0x42DB31: parseVimFile (vim.c:631)
==3421== by 0x42DCE5: findVimTags (vim.c:726)
==3421==
==3421== Invalid read of size 1
==3421== at 0x42DAF1: parseVimLine (vim.c:617)
==3421== by 0x42DB31: parseVimFile (vim.c:631)
==3421== by 0x42DCE5: findVimTags (vim.c:726)
==3421== by 0x41F880: createTagsForFile (parse.c:617)
==3421== by 0x41F930: createTagsWithFallback (parse.c:639)
==3421== by 0x41F9FA: parseFile (parse.c:666)
==3421== by 0x416BBE: createTagsForEntry (main.c:303)
==3421== by 0x416BFA: createTagsForArgs (main.c:348)
==3421== by 0x4171B1: makeTags (main.c:494)
==3421== by 0x417350: main (main.c:562)
==3421== Address 0x4a46f60 is 0 bytes inside a block of size 128 free'd
==3421== at 0x4906828: realloc (vg_replace_malloc.c:476)
==3421== by 0x4238C0: eRealloc (routines.c:263)
==3421== by 0x42DDC0: vStringResize (vstring.c:36)
==3421== by 0x42DE1D: vStringAutoResize (vstring.c:54)
==3421== by 0x42DF1F: vStringPut (vstring.c:93)
==3421== by 0x4231BC: iFileGetLine (read.c:396)
==3421== by 0x423321: fileReadLine (read.c:468)
==3421== by 0x42CC78: readVimLine (vim.c:217)
==3421== by 0x42CF27: parseFunction (vim.c:284)
==3421== by 0x42DA6A: parseVimLine (vim.c:609)
==3421== by 0x42DB31: parseVimFile (vim.c:631)
==3421== by 0x42DCE5: findVimTags (vim.c:726)
==3421==
