vim crashed using rails.vim on Hardy

I confirm. After update to Hardy, vim crashes upon using the rails.vim plugin, while using TAB command autocompletion.

I confirm too!!. vim + rails.vim crashes while using TAB command autocompletion.

I confirm too !!! and this bug exists sinces months. It seems to be fixed in the unstable branch of debian.

https://bugs.launchpad.net/ubuntu/+source/vim/+bug/183935

Can someone give the exact steps to reproduce the bug?

1/ Install ruby and rails with gem with root access:
    apt-get install ruby rdoc ri libsqlite3-dev
    wget http://rubyforge.org/frs/download.php/35283/rubygems-1.1.1.tgz
    tar xfz rubygems-1.1.1.tgz
    cd rubygems-1.1.1
    ruby setup.rb
    ln /usr/bin/gem1.8 /usr/bin/gem
    gem install rails sqlite3-ruby

    (source: http://amanzi.blogspot.com/2007/11/quick-ruby-and-rail-on-ubuntu-710.html)

2/ Install the rails plugin with user access:
    git clone git://git.tpope.net/git/vim-rails.git
    cp vim-rails/autoload vim-rails/doc vim-rails/plugin ~/.vim -R

3/ Create a rails application with user access:
    rails test_crash
    cd test_crash

3.1/ Create a controller for rails
    ./script/generate controller Test

    launch vim to use the rails plugin with the rails app
    vim

With the rails plugin, you have news commands, per example, if you want to go to the source code of the 'Test' Controller, you can use the command :REcontroller test
But, the rails plugin comes with auto-completion for :REcontroller, :REmodel, ... with the TAB key, but if you try with this key, there is a crash of vim, with a segmentation fault.
The auto-completion is based on the relative path of the rails application

This bug is very blocking :(

I hope you will understand my description

Here is what I did to reproduce

1) sudo apt-get install ruby-full
2) sudo gem install rails
3) vim-addons install vim-rails
4) rails sample_project
5) cd sample_project
6) gvim app/controllers/application.rb
7) in command mode in gvim, :RTjavascript <tab> (Pick something like application for application.js. Sometimes works, should open another tab)
8) make a file in public/stylesheets. Call it anything, like rails.css.
9) in command mode again, :RTstylesheet r<tab> (Always crashes by now)

I agree, it does appear to be fixed in unstable debian

Thanks for the step by step description.

Following the explanations from "matrixise"
I could also reproduce the bug when doing
":REcontroller te<TAB><TAB>" which segfaults
(press tab twice):

  pel@pel-laptop:~/test_crash$ /usr/bin/vim
  Vim: Caught deadly signal SEGV

This is happening with vim-full from Hardy:

  pel@pel-laptop:~/test_crash$ /usr/bin/vim --version
  VIM - Vi IMproved 7.1 (2007 May 12, compiled Jan 31 2008 12:00:11)
  Included patches: 1-138

Now, running with valgrind, I can see several errors
but the last one must be the one which causes the
crash:

==10292== Invalid free() / delete / delete[]
==10292== at 0x402265C: free (vg_replace_malloc.c:323)
==10292== by 0x80CD2FA: ExpandOne (in /usr/bin/vim.gnome)
==10292== by 0x80CF245: (within /usr/bin/vim.gnome)
==10292== by 0x80D0EF3: getcmdline (in /usr/bin/vim.gnome)
==10292== by 0x80C5AF3: do_cmdline (in /usr/bin/vim.gnome)
==10292== by 0x81305FE: (within /usr/bin/vim.gnome)
==10292== by 0x8132FAB: normal_cmd (in /usr/bin/vim.gnome)
==10292== by 0x80F736F: main_loop (in /usr/bin/vim.gnome)
==10292== by 0x80FA972: main (in /usr/bin/vim.gnome)
==10292== Address 0x67f57b8 is 0 bytes inside a block of size 3 free'd
==10292== at 0x402265C: free (vg_replace_malloc.c:323)
==10292== by 0x80CD320: ExpandOne (in /usr/bin/vim.gnome)
==10292== by 0x809744F: (within /usr/bin/vim.gnome)
==10292== by 0x809D4D0: (within /usr/bin/vim.gnome)
==10292== by 0x80A07F7: (within /usr/bin/vim.gnome)
==10292== by 0x80A1D83: (within /usr/bin/vim.gnome)
==10292== by 0x80A254C: (within /usr/bin/vim.gnome)
==10292== by 0x809EF81: (within /usr/bin/vim.gnome)
==10292== by 0x809F207: (within /usr/bin/vim.gnome)
==10292== by 0x809FA3B: (within /usr/bin/vim.gnome)
==10292== by 0x809FB5B: (within /usr/bin/vim.gnome)
==10292== by 0x80A10CD: (within /usr/bin/vim.gnome)

Unfortunately, /usr/bin/vim is not built with symbols, but the
message shows that there is an invalid free() in the ExpandOne()
function of Vim.

If I download the latest vim (vim-7.1.293) source code (see
http://www.vim.org/download.php), and compiled it myself:

  cd vim7
  ./configure --with-features=huge
  make
  make install

Then it works fine and valgrind does not complain either.
So this bug must have already been already fixed in latest vim.

Note the Hardy is using vim-7.1.138 and latest vim from CVS
is vim-7.1.293. It would be a good idea to do an Ubuntut
package with a more recent vim, many bugs have been fixed.
Here are all the missing patches in vim as shipped with
Ubuntu:

  1557 7.1.139 fold truncated when ending Insert mode with CTRL-C
  1664 7.1.140 v:count can't be used in an expression mapping
  2806 7.1.141 GTK: can't use negative offset with -geom argument
  2161 7.1.142 ":redir @A>" doesn't work
  1723 7.1.143 uninitialized memory read when diffing three files
  1250 7.1.144 after ":diffup" cursor can be in the wrong position
  6160 7.1.145 stay in Insert completion mode depending on the char typed
  2838 7.1.146 VMS: writing fails for rare record organisation
  2079 7.1.147 (after 7.1.127) freeing memory twice completing user name
  ...

Thanks dominiko. Had compiled vim from source trying to get this to work but hadn't had any success. Getting the latest from cvs and using --with-features=huge works for me. I'll stay with Hardy now.

vim from debian sid works fine and fixes this bug

This is fixed by upstream's 7.1.147 patch.

After asking around in #vim, someone wrote the following simple instructions for building a deb from source (which should get upgraded when the ubuntu package maintainers upload a newer version):

http://pastebin.com/m5fe056a3

It worked great for me!

Following the http://pastebin.com/m5fe056a3 directions I'm getting the following error in the last step:

.....
# Generate language-specific sections of
# vim-{runtime,common,gui-common}.install files
dh_installman
dh_install -X.svn --fail-missing
dh_install: usr/bin/gvimtutor exists in debian/tmp but is not installed to anywhere
dh_install: missing files, aborting
make: *** [install-stamp-vim-basic] Error 1
dpkg-buildpackage: failure: fakeroot debian/rules binary gave error exit status 2

any clue?

thanks

Upstream patch 7.1.295 added gvimtutor. To use my build instructions now, in addition to getting the latest upstream patches we need to modify the deb build rules to know how to handle the extra binary that they weren't expecting. Try these commands instead:
http://pastebin.com/m317ae06e

StacktraceTop:_int_malloc () from /lib/libc.so.6
malloc () from /lib/libc.so.6
lalloc (size=2, message=1) at misc2.c:857
vim_strsave (string=0xa5c7c0 "T") at misc2.c:1144
copy_tv (from=0x7fffe7c81a20, to=0x2) at eval.c:18308

So, I had an issue with building from source (gvimtutor issues, I'm not familiar with how dpkg works enough to fix it), so I'm using this person's ppa for vim, for now. Using the hardy ver, but at least it's vim patched to 285.

https://launchpad.net/~towolf/+archive

Thanks you, Jonathan.

I can confirm this bug also - doing tab-completion in :RE* commands crashes vim.

@godlygeek: your instructions at pastebin do not work for me:
--------------------------------------------------------------------------------------------------------------------------------------------
fpauser@tpx40:~/vim-7.1$ dch -v 1:7.1-138+1ubuntu4~$(whoami)1 "Updated with patches through $(ls upstream/patches | grep -v '\.py$' | tail -n 1)"
dch: fatal error at line 873:
New version specified (1:7.1-138+1ubuntu4~fpauser1) is less than
the current version number (1:7.1-138+1ubuntu4~fpauser1)! Use -b to force.
--------------------------------------------------------------------------------------------------------------------------------------------

any hints?

godlygeek's pastebin from 05-08 has expired; I have reposted it:
http://pastebin.com/m3f2d0fdc
and attached it here.

Falk Pauser, looks like you're trying to run dch a second time -- if you 'head debian/changelog' you'll see your comment already prepended. Skip dch, run the sed script, and you should be ready to do dpkg-buildpackage.

If this is a duplicate of #215374 then there's a very easy way to exercise the bug without involving rails. Type `:r ~fo<tab>' where `fo' is the start of a username on the system, e.g. `foo'.

I'm experiencing #215374 with vim 1:7.1-138+1ubuntu3. Looking at ftp://ftp.vim.org/pub/vim/patches/7.1/README I think patch 7.1.147 looks like it fixes my issues with ~fo<tab>.

    7.1.127 memory leak when doing completing
    7.1.147 (after 7.1.127) freeing memory twice completing user name

It seems we have 7.1.127, avoiding the memory leak, but that introduced a double-free giving a worse-than-a-memory-leak crash, now fixed with 7.1.147.

Vim 7.2 is out. Maybe it's time to update broken vim from debian sid or so?

for those who want to have fresh bugless vim:
su
cd /usr/src
wget ftp://ftp.vim.org/pub/vim/unix/vim-7.2.tar.bz2
tar -xvvf vim-7.2.tar.bz2
cd vim72
./configure --with-features=huge --with-gnome
make
make install

you will need some *-dev packages installed

for gvim:

./configure --with-features=huge --enable-gui=gnome2

or

./configure --with-features=huge --enable-gui=gtk2

will need xorg-dev libgtk2.0-dev and some other libs

That version has died long ago; no more supported