segfault during resize

[Gernot Hillier]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

I'm trying to track down a segfault in a quite big application (multithreaded, 
consisting of several own shared libs, output plugins...) when using the 
ncurses output since some days.

First of all: I'm no really experienced C or linux programmer, so please tell 
me if I have missed something - even if it seems very easy for you. ;-)

Whenever I resize the xterm, this application crashes with a segfault. The 
backtraces showed segfaults during free or realloc in ncurses, so I assume it 
is some sort of heap corruption.

So I put libefence (ElectricFence) in LD_PRELOAD and now I get reproducable 
segfaults when accessing win->_line.text, for example in base/lib_bkgd.c:116 
(if (CharEq(win->_line[y].text[x],old_bkgrnd). They always occur when trying 
to access the first element of the buffer, in this example with x=y=0. I hope 
this is no false positive, so I'm investigating this further.

It occurs with the original 5.2 release without any patches and with the 
current patches from your ftp-server, too.

I added some debug output to all alloc's and free's of the text member I found 
(in lib_pad.c, wresize.c, lib_newwin.c).

What I understood till now (please correct me!): 

For the root window, this buffer is allocated, and all child windows only have 
a pointer to it and therefore use this parent buffer (lib_newwin.c:derwin and 
lib_newwin.c:_nc_makenew), right? 

Whenever a window is resized, the _line struct is realloced if necessary and 
so are the text fields of the parent window (wresize.c:wresize).

The subwindow which is concerned by the crash always stays at the same size (1 
x 6 - seems to be a button). 

So it gets some addresses from the parent's buffer when created in 
lib_newwin:derwin. This addresses, I output to my debug file. 

As far as I've understood, this value won't be touched if the size of this 
window isn't changed. 

But when the application crashes, the value of win->_line[0].text has changed. 
It shows some address which I can't find anywhere in my debug output.

So I have two questions at the moment - perhaps you could help me:

- - Are my assumptions stated above correct as far?

- - How does a subwindow get the new address of the parent buffer, when the 
parent window is resized and therefore the adresses of the buffer change? I 
can't find the place where this happens. All I can see, is that wresize.c 
terminates without doing anything if the size of the window isn't changed.

Every suggestion which could help me is greatly appreciated - TIA!

- -- 
Ciao,

Gernot
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8rYnqk997/GGeSeIRAkPXAJ9vdt18RkdKZA+VLCw+TtFwInrItwCfauiT
FWeIsqHS0VU6AQO00KL7vPk=
=B0n4
-----END PGP SIGNATURE-----