Irssi core bugs

Notice: Undefined index: tasklist_type in /var/www/bugs.irssi.org/includes/class.tpl.php(128) : eval()'d code on line 85 Notice: Undefined index: tasklist_type in /var/www/bugs.irssi.org/includes/class.tpl.php(128) : eval()'d code on line 90
  • Status Unconfirmed
  • Percent Complete
    0%
  • Task Type Bug Report
  • Category core
  • Assigned To No-one
  • Operating System Linux
  • Severity Medium
  • Priority Normal
  • Reported Version Irssi SVN
  • Due in Version Undecided
  • Due Date Undecided
  • Votes 0
  • Private No
Attached to Project: Irssi core bugs
Opened by Tom (shabble) - 2010-10-09

FS#772 - Irssi crashes with Invalid Free() with custom statusbar and rapid terminal resizing

minimal script testcase:

use strict;
use warnings;

use Irssi;
use Irssi::TextUI; # for sbar_items_redraw

Irssi::statusbar_item_register('uberprompt', 0, 'uberprompt_draw');
Irssi::command("STATUSBAR prompt add -alignment left -before input -priority '-1' uberprompt");

sub uberprompt_draw {
my ($sb_item, $get_size_only) = @_;
print "This is a test";
return $sb_item->default_handler($get_size_only, '{uberprompt $winname}', '', 0);
}

---

Easiest way to reproduce is to load the above script into an irssi running in an xterm, then rapidly resize it to a smaller height (changing width does not appear to reproduce the crash).

For an automated test, you can start irssi inside a screen session, then C-a : split, C-a : resize 1000
(so the irssi region is as large as possible), then run the following snippet from another terminal:

perl -MTime::HiRes=sleep -e'for(1..100) { print "Sizing\n"; qx|/usr/bin/screen -X resize -1|; sleep(0.001);}'

The time delay is probably system dependent. Values of 0.001 - 0.003 regularly crash, 0.005 seems mostly stable.

---- example backtrace upon crash: -----
gdb) bt full
#0 0x00007fa2deb6fed5 in raise () from /lib/libc.so.6
No symbol table info available.
#1 0x00007fa2deb713f3 in abort () from /lib/libc.so.6
No symbol table info available.
#2 0x00007fa2debac408 in ?? () from /lib/libc.so.6
No symbol table info available.
#3 0x00007fa2debb19a8 in ?? () from /lib/libc.so.6
No symbol table info available.
#4 0x00007fa2debb3ab6 in free () from /lib/libc.so.6
No symbol table info available.
#5 0x00000000004290a6 in term_resize (width=122, height=15) at term-terminfo.c:200
No locals.
#6 0x000000000042851a in term_resize_dirty () at term.c:84
width = 122
height = 15
#7 0x0000000000430877 in dirty_check () at irssi.c:117
No locals.
#8 0x0000000000430cb2 in main (argc=2, argv=0x7fffb45a43d8) at irssi.c:365
version = 0
options = {{long_name = 0x4b837f "dummy", short_name = 100 'd', flags = 0, arg = G_OPTION_ARG_NONE, arg_data = 0x6fa788,
description = 0x4b8385 "Use the dummy terminal mode", arg_description = 0x0}, {long_name = 0x4b83a1 "version", short_name = 118 'v', flags = 0,
arg = G_OPTION_ARG_NONE, arg_data = 0x6fa77c, description = 0x4b83a9 "Display irssi version", arg_description = 0x0}, {long_name = 0x0,
short_name = 0 '\0', flags = 0, arg = G_OPTION_ARG_NONE, arg_data = 0x0, description = 0x0, arg_description = 0x0}}
(gdb)


---- additional crash report (from another user) ----

*** glibc detected *** /usr/bin/irssi: free(): invalid pointer: 0x0a1e7888 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(+0x6b591)[0xbc4591]
/lib/tls/i686/cmov/libc.so.6(+0x6cde8)[0xbc5de8]
/lib/tls/i686/cmov/libc.so.6(cfree+0x6d)[0xbc8ecd]
/lib/libglib-2.0.so.0(g_free+0x36)[0x179fc6]
/usr/bin/irssi[0x806fdc1]
/lib/libglib-2.0.so.0(g_hash_table_foreach+0x5c)[0x16247c]
/usr/bin/irssi[0x807017b]
/usr/bin/irssi(textbuffer_view_resize+0x32)[0x8071bc2]
/usr/bin/irssi(mainwindows_redraw_dirty+0xb6)[0x80648c6]
/usr/bin/irssi[0x8071e13]
/usr/bin/irssi(main+0x24d)[0x80720bd]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0xb6fbd6]
/usr/bin/irssi[0x805c4e1]


Crash has been confirmed on both 0.8.12 and latest SVN under Debian Lenny,
and on irssi 0.8.14 (20090728 1938) under Ubuntu Lucid.

Crash /cannot/ be reproduced on OSX 10.5.8 using irssi SVN (r5190).

Random nature and occurrence of the crash suggests some sort of race condition.
The backtrace points to the line:
" g_free(term_lines_empty); "
in src/fe-text/term-terminfo.c, but it remains unclear under what conditions this value points
to invalid allocated memory.

This task does not depend on any other tasks.

Tom (shabble)
Monday, 11 October 2010, 10:54 GMT
Additional info:

screencast of occurrence: http://metavore.org/faff/irssi.ogv

Also note that removing or commenting the 'print ...' line within the statusbar handler prevents the crash from happening

Loading...