Pretty sure this is use-after-free, which points to w->last still not
being set properly somewhere.
Can't reproduce on OpenBSD though and its malloc() is much more
rigorous has much better error checking...
On Sun, Nov 21, 2010 at 04:14:21PM +0000, Thomas Adam wrote:
> On Sun, Nov 21, 2010 at 03:32:08PM +0000, Nicholas Marriott wrote:
> > tmux version?
> >
> > what platform?
>
> It seems I can always reproduce this -- at least to get a stack trace
> identical to the one reported.
>
> This is tmux cvs HEAD (as of today) on Linux (Debian Unstable).
>
> If I start tmux like this:
>
> $ tmux -Lrandom -f /dev/null
>
> ... and then immediately start to split the window, creating random
> horizontal/vertical splits -- do it a few times until you get four of five.
>
> Then turn on "mouse-select-pane":
>
> :set mouse-select-pane
>
> ... then click to any random pane with the mouse to make it active, and
> press:
>
> ^d
>
> ... to close the pane. I immediately then get a "[lost server]" error, and
> a coredump. Here's the results:
>
> (gdb) bt
> #0 0x080839fc in window_pane_visible (wp=0x9011570) at window.c:836
> #1 0x0806d3cc in server_client_reset_state (c=0x8ff2680)
> at server-client.c:448
> #2 0x0806d2c2 in server_client_loop () at server-client.c:408
> #3 0x0807010c in server_loop () at server.c:213
> #4 0x080700e2 in server_start () at server.c:201
> #5 0x0804ae83 in client_connect (path=0x80ab620 "/tmp//tmux-1001/main356",
> start_server=1) at client.c:79
> #6 0x0804b07c in client_main (argc=0, argv=0xbfbd1390, flags=1)
> at client.c:153
> #7 0x080770f4 in main (argc=0, argv=0xbfbd1390) at tmux.c:495
>
> Doing some digging:
>
> (gdb) p wp->xoff
> $2 = 1963065346
> (gdb) p w->sx
> Cannot access memory at address 0x2000264
> (gdb) p w
> $3 = (struct window *) 0x2000200
> (gdb) p *w
> Cannot access memory at address 0x2000200
>
> What's up with the struct window * here?
>
> Also -- things get a little more interesting...
>
> If I repeat the above steps, but this time keep splitting a window down so I
> get a really tiny pane, and type "ls" (so that wp->fd > -1) -- and then
> close it -- again with "^d", tmux goes round in an infinite loop, with the
> title of the window. This is due to automatic-rename for sure -- the title
> of the window goes through endless loops of:
>
> 0:z [dead]
> 0:X [dead]
>
> ... over and over. There's always a random character before [dead] -- no
> tmux crash, but it does look like (through stracing it) it's caught around
> here:
>
> names.c:window_name_callback():
>
> if (w->active->cmd != NULL && *w->active->cmd == '\0' &&
> name != NULL && name[0] == '-' && name[1] != '\0')
> wname = parse_window_name(name + 1);
>
> I'm having problems tracking this down to be honest.
>
> HTH,
>
> -- Thomas Adam
>
> --
> "Deep in my heart I wish I was wrong. But deep in my heart I know I am
> not." -- Morrissey ("Girl Least Likely To" -- off of Viva Hate.)
------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________
tmux-users mailing list
tmux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tmux-users
