Use-after-free with pexec

[andersk@mit.edu]

On current master (18fb86e), valgrind detects this problem after running, for example, :pexec date.

==3420== Invalid read of size 4
==3420==    at 0x452379: owl_popexec_viewwin_onclose (popexec.c:158)
==3420==    by 0x4428FA: owl_viewwin_free (viewwin.c:153)
==3420==    by 0x427AD5: owl_command_popless_quit (commands.c:2787)
==3420==    by 0x448D69: owl_cmd_execute (cmd.c:224)
==3420==    by 0x44857E: _owl_cmddict_execute (cmd.c:73)
==3420==    by 0x44865C: owl_cmddict_execute (cmd.c:97)
==3420==    by 0x43A072: owl_function_command (functions.c:18)
==3420==    by 0x43A0D1: owl_function_command_norv (functions.c:32)
==3420==    by 0x4480AC: owl_keybinding_execute (keybinding.c:73)
==3420==    by 0x447CA1: owl_keyhandler_process (keymap.c:245)
==3420==    by 0x45310B: owl_process_input_char (select.c:265)
==3420==    by 0x4546A2: owl_process_input (owl.c:373)
==3420==  Address 0x9be8900 is 0 bytes inside a block of size 40 free'd
==3420==    at 0x4C280BD: free (vg_replace_malloc.c:366)
==3420==    by 0x4307A8: owl_free (util.c:379)
==3420==    by 0x452A4D: owl_select_remove_io_dispatch (select.c:127)
==3420==    by 0x452AA5: owl_select_io_dispatch_gc (select.c:146)
==3420==    by 0x452ED5: owl_select_io_dispatch (select.c:211)
==3420==    by 0x45391B: owl_select (select.c:430)
==3420==    by 0x45503E: main (owl.c:666)

popexec.c:158 is

  if (pe->dispatch->fd > 0) {
    owl_select_remove_io_dispatch(pe->dispatch);
  }

where it appears pe->dispatch has already been freed by select.c:127.

[nelhage@mit.edu]

Fixed in 125fd21c2d564a4a7d0a027552b7156a4d694243