patch 8.1.1485: double free when garbage_collect() is used in autocommandv8.1.1485

Problem:    Double free when garbage_collect() is used in autocommand.
Solution:   Have garbage collection also set the copyID in funccal_stack.

3 files changed, 14 insertions, 6 deletions

diff --git a/src/eval.c b/src/eval.c
index 5452f4543..abb3b4069 100644
--- a/src/eval.c
+++ b/src/eval.c
@@ -430,12 +430,11 @@ eval_clear(void)
 	vim_free(SCRIPT_SV(i));
     ga_clear(&ga_scripts);
 
-    // functions need to be freed before gargabe collecting, otherwise local
-    // variables might be freed twice.
-    free_all_functions();
-
     // unreferenced lists and dicts
     (void)garbage_collect(FALSE);
+
+    // functions not garbage collected
+    free_all_functions();
 }
 #endif
 
diff --git a/src/userfunc.c b/src/userfunc.c
index 7abde07e3..3a0219af4 100644
--- a/src/userfunc.c
+++ b/src/userfunc.c
@@ -4030,11 +4030,18 @@ set_ref_in_funccal(funccall_T *fc, int copyID)
     int
 set_ref_in_call_stack(int copyID)
 {
-    int		abort = FALSE;
-    funccall_T	*fc;
+    int			abort = FALSE;
+    funccall_T		*fc;
+    funccal_entry_T	*entry;
 
     for (fc = current_funccal; fc != NULL; fc = fc->caller)
 	abort = abort || set_ref_in_funccal(fc, copyID);
+
+    // Also go through the funccal_stack.
+    for (entry = funccal_stack; entry != NULL; entry = entry->next)
+	for (fc = entry->top_funccal; fc != NULL; fc = fc->caller)
+	    abort = abort || set_ref_in_funccal(fc, copyID);
+
     return abort;
 }
 
diff --git a/src/version.c b/src/version.c
index bbfbfe17d..4c44f2e3c 100644
--- a/src/version.c
+++ b/src/version.c
@@ -768,6 +768,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    1485,
+/**/
     1484,
 /**/
     1483,