From 11b55aa004067be95a81b2d1a20634312d405c82 Mon Sep 17 00:00:00 2001
From: Björn Linse <bjorn.linse@gmail.com>
Date: Sun, 13 May 2018 17:18:42 +0200
Subject: timer: make sure to free callback after the last timer due callback

fixes #6974

Before this change, the partial could be freed before the last due
callback got invoked, which caused a use-after-free when the due
callback called the partial.
---
 src/nvim/eval.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src/nvim/eval.c')

diff --git a/src/nvim/eval.c b/src/nvim/eval.c
index 126e9e0da9..a3540b3153 100644
--- a/src/nvim/eval.c
+++ b/src/nvim/eval.c
@@ -17039,7 +17039,8 @@ static void timer_stop(timer_T *timer)
   time_watcher_close(&timer->tw, timer_close_cb);
 }
 
-// invoked on next event loop tick, so queue is empty
+// This will be run on the main loop after the last timer_due_cb, so at this
+// point it is safe to free the callback.
 static void timer_close_cb(TimeWatcher *tw, void *data)
 {
   timer_T *timer = (timer_T *)data;
-- 
cgit