netbsd-bugs: lib/36702: vi crashes on window resizes due to bug in curses

Subject: lib/36702: vi crashes on window resizes due to bug in curses
To: None <lib-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <erh@swapsimple.com>
List: netbsd-bugs
Date: 07/29/2007 22:00:00

>Number:         36702
>Category:       lib
>Synopsis:       vi crashes on window resizes due to bug in curses
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jul 29 22:00:00 +0000 2007
>Originator:     Eric Haszlakiewicz
>Release:        NetBSD 4.99.20
>Organization:
>Environment:
NetBSD-current
Sources updated as of June 22nd, 2007.
refresh.c 1.67
Architecture: i386
Machine: i386
>Description:

When resizing the window (xterm) vi occasionally crashes.  It doesn't
happen very often, but is fairly easy to reproduce by quicking and
repeatedly making the window larger.

I also get (non-fatal) errors that look like 
"Error: move: l(35) c(0) o(0)"
when shrinking the screen, but I don't know if those are related.

>How-To-Repeat:
	Fire up an xterm.
	Run vi in it.
	Put the cursor on the last line (optional?)
	Resize the window several times.
>Fix:
 I don't know about a fix, but here's the debugging info I managed to extract
from the core file.  Note that the "bot" variable is larger than curscr->maxy.

Program terminated with signal 11, Segmentation fault.
#0  0xbbbbda26 in quickch () at refresh.c:1229
1229                    if (__virtscr->lines[bot]->flags & __ISDIRTY &&
(gdb) print __virtscr
$1 = (WINDOW *) 0x8092380
(gdb) print bot
$2 = 41
(gdb) list
1224                        curscr->lines[bot]->line,
1225                        (size_t) __virtscr->maxx * __LDATASIZE)
1226                        != 0))
1227                            break;
1228    #else
1229                    if (__virtscr->lines[bot]->flags & __ISDIRTY &&
1230                        (__virtscr->lines[bot]->hash != curscr->lines[bot]->
hash ||
1231                        !linecmp(__virtscr->lines[bot]->line,
1232                        curscr->lines[bot]->line,
1233                        (size_t) __virtscr->maxx )))
(gdb) print curscr
$3 = (WINDOW *) 0x8092280
(gdb) print __virtscr->lines[bot]->flags
$4 = 1
(gdb) print  curscr->lines[bot]->hash
Cannot access memory at address 0x4
(gdb) print curscr
$5 = (WINDOW *) 0x8092280
(gdb) print *curscr
$6 = {nextp = 0x8092280, orig = 0x0, begy = 0, begx = 0, cury = 0, curx = 0,
  maxy = 39, maxx = 85, reqy = 39, reqx = 85, ch_off = 0, lines = 0x80d1200,
  lspace = 0x8094000, wspace = 0x8122000, flags = 327709, delay = -1, wattr = 0,

  bch = 32, battr = 0, scr_t = 0, scr_b = 38, screen = 0x80b0000,
  pbegy = 134816472, pbegx = 134816472, sbegy = 134816480, sbegx = 134816480,
  smaxy = 134816488, smaxx = 134816488, bnsp = 0x0}
(gdb) print bot
$7 = 41
(gdb)