classification
Title: curses segfault resizing window
Type: crash Stage: resolved
Components: Extension Modules Versions: Python 3.6, Python 2.7
process
Status: closed Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: Josiah Ulfers, a.badger, lisroach, twouters
Priority: normal Keywords: patch

Created on 2019-02-07 00:02 by Josiah Ulfers, last changed 2019-05-18 02:38 by Josiah Ulfers. This issue is now closed.

Files
File name Uploaded Description Edit
cursesfault.py Josiah Ulfers, 2019-02-07 00:02
Pull Requests
URL Status Linked Edit
PR 13209 merged a.badger, 2019-05-08 19:38
Messages (9)
msg334991 - (view) Author: Josiah Ulfers (Josiah Ulfers) Date: 2019-02-07 00:02
To provoke a segmentation fault, run the attached, then grab the top or
bottom edge of the window. Move it down or up until it overlaps the box.
Might need to wiggle the edge a little, but it's reliably reproducible.

Expected error, which is what happens when dragging the left or right edge
instead of the top or bottom:

    Traceback (most recent call last):
      File "cursesfault.py", line 12, in <module>
        curses.wrapper(main)
      File "/usr/lib64/python3.6/curses/__init__.py", line 94, in wrapper
        return func(stdscr, *args, **kwds)
      File "cursesfault.py", line 9, in main
        w.addstr(0, 0, box)
    _curses.error: addwstr() returned ERR

Actual error message varies a little. It's either:

    *** Error in `python3': corrupted size vs. prev_size: 0x000055b3055ba820 ***
        Aborted (core dumped)

Or:

    *** Error in `python3': double free or corruption (!prev): 0x000055b61e1ffbb0 ***
        Aborted (core dumped)

Or:

    *** Error in `python': malloc(): memory corruption: 0x0000564907a5a4f0 ***
        Aborted (core dumped)

Possibly relates to issue15581

---

Python 2.7.14 and 3.6.5
OpenSUSE 15.0
KDE Plasma 5.12.6

uname -a
Linux ... 4.12.14-lp150.12.45-default #1 SMP Mon Jan 14 20:29:59 UTC 2019 (7a62739) x86_64 x86_64 x86_64 GNU/Linux
msg337718 - (view) Author: Lisa Roach (lisroach) * (Python committer) Date: 2019-03-12 04:06
I am able to confirm the repro, I haven't been able to find the root cause of it yet though. Trying to dig into it.
msg341802 - (view) Author: Toshio Kuratomi (a.badger) * Date: 2019-05-07 19:09
I'm still debugging this but it may be an off-by-one error in ncurses, wresize.c.  I've found that if I modify the following section in ncurses, our problem goes away:

    /*
       * Dispose of unwanted memory.
       */
      if (!(win->_flags & _SUBWIN)) { 
          if (ToCols == size_x) { 
              for (row = ToLines + 1; row <= size_y; row++) { 
                   free(win->_line[row].text);
              } 
          } else { 
              for (row = 0; row <= size_y; row++) { 
                   free(win->_line[row].text);
              } 
          }
      } 
  
      free(win->_line);
      win->_line = new_lines;

Replacing:
              for (row = ToLines + 1; row <= size_y; row++) { 
with:
              for (row = ToLines + 2; row <= size_y; row++) { 

fixes this error.  ToLines is a parameter passed in to wresize.  wresize will reuse ToLines number of rows from the old structure in the new structure.  Due to that, I think that the chances are good that it is ncurses which is at fault here.  I will try to rewrite the test case into a C program and then submit a bug report to ncurses upstream.  I'm not sure that there's a way we can work around this until that's fixed.
msg341893 - (view) Author: Toshio Kuratomi (a.badger) * Date: 2019-05-08 15:53
I've diagnosed this a bit further and have a workaround for you.  It appears that using addstr() with a string with embedded newlines is a piece of the problem.  If I modify your example program so that we add each line as a separate string instead of adding them as a single string with embedded newlines, we get the ncurses ERR on resize instead of a segfault:

import curses

def main(stdscr):
    y, x = curses.LINES//3, curses.COLS//3  # size is arbitrary
    box = '\n'.join('+'*x for _ in range(y))
    w = stdscr.subwin(y, x+1, y, x) 
    while True: 
        new_box = box[:]
        w.clear()
        for offset, line in enumerate(box.splitlines()):
            w.addstr(offset, 0, line) 
        w.getch()  # not required, just avoids a hot loop

curses.wrapper(main)


I don't see anything in the curses specification that forbids embedded newlines in the string to addstr(), though, so I am still thinking that this is a bug in ncurses.
msg341925 - (view) Author: Toshio Kuratomi (a.badger) * Date: 2019-05-08 18:29
My upstream (ncurses) bug report: http://lists.gnu.org/archive/html/bug-ncurses/2019-05/msg00010.html
msg342266 - (view) Author: Toshio Kuratomi (a.badger) * Date: 2019-05-12 21:12
Hi Josiah, I've tested my sample program and it looks like the segmentation fault is fixed with ncurses-6.1-20190511: http://lists.gnu.org/archive/html/bug-ncurses/2019-05/msg00013.html

Are you able to give that a try and see whether it resolves the issue for you as well?

For the Core devs; Assuming this is fixed in a newer ncurses, how would you like to proceed with this bug?  I have a documentation PR to tell people about the bug in ncurses and the workaround: https://github.com/python/cpython/pull/13209  I can update that to mention the version of ncurses that this is fixed in if you want that.  Other than that, I'm not sure what more we can do.
msg342776 - (view) Author: Lisa Roach (lisroach) * (Python committer) Date: 2019-05-17 22:54
Thank you for all the work you did on this Toshio! I think we are good to close this issue.
msg342786 - (view) Author: Josiah Ulfers (Josiah Ulfers) Date: 2019-05-18 02:36
Yes, thanks Toshio and Lisa and sorry for the slow response. I just now built a Python 3.7.3 against ncurses-6.1-20190511 and can confirm it resolved the issue.
msg342787 - (view) Author: Josiah Ulfers (Josiah Ulfers) Date: 2019-05-18 02:38
Yes, thanks Toshio and Lisa and sorry for the slow response. I just now built a Python 3.7.3 against ncurses-6.1-20190511 and can confirm it resolved the issue.
History
Date User Action Args
2019-05-18 02:38:00Josiah Ulferssetstatus: closed

messages: + msg342787
2019-05-18 02:36:11Josiah Ulferssetstatus: open -> (no value)

messages: + msg342786
2019-05-17 22:54:43lisroachsetmessages: + msg342776
stage: patch review -> resolved
2019-05-12 21:12:02a.badgersetmessages: + msg342266
2019-05-08 19:38:22a.badgersetkeywords: + patch
stage: patch review
pull_requests: + pull_request13120
2019-05-08 18:29:50a.badgersetmessages: + msg341925
2019-05-08 15:53:50a.badgersetmessages: + msg341893
2019-05-07 19:09:11a.badgersetnosy: + a.badger
messages: + msg341802
2019-03-12 04:06:32lisroachsetnosy: + lisroach
messages: + msg337718
2019-02-10 08:49:07SilentGhostsetnosy: + twouters
2019-02-07 00:02:21Josiah Ulferscreate