From dg@smp.root.com  Tue Sep 29 08:39:49 1998
Received: from smp.root.com (smp.root.com [198.145.90.39])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA12353
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 29 Sep 1998 08:39:46 -0700 (PDT)
          (envelope-from dg@smp.root.com)
Received: (from root@localhost)
	by smp.root.com (8.9.1/8.8.5) id IAA02633;
	Tue, 29 Sep 1998 08:39:27 -0700 (PDT)
Message-Id: <199809291539.IAA02633@smp.root.com>
Date: Tue, 29 Sep 1998 08:39:27 -0700 (PDT)
From: David Greenman <dg@root.com>
Reply-To: dg@root.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: "systat -iostat" coredumps when displaying too much history
X-Send-Pr-Version: 3.2

>Number:         8086
>Category:       bin
>Synopsis:       "systat -iostat" coredumps when trying to display more than 7 lines of history
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    ken
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 29 08:40:00 PDT 1998
>Closed-Date:    Mon Oct 12 09:51:51 PDT 1998
>Last-Modified:  Mon Oct 12 09:52:51 PDT 1998
>Originator:     David Greenman
>Release:        FreeBSD 3.0-BETA i386
>Organization:
The FreeBSD Project
>Environment:

	

>Description:

	"systat -iostat" (numbers mode) will coredump inside the curses
	library if the number of lines of 'history' exceeds 7 lines when
	using a large screen/window size. In my particular case, 128x44,
	with a total of 7 devices being displayed. The traceback looks
	like this:

#0  0x20026551 in __set_subwin ()
#1  0x20025c1a in wrefresh ()
#2  0x20024bf4 in wrefresh ()
#3  0x37f6 in display (signo=14) at main.c:207
#4  <signal handler called>
#5  0x200afaea in read ()
#6  0x2009da4d in __srefill ()
#7  0x2009d90a in __srget ()
#8  0x2002302d in wgetch ()
#9  0x2fde in keyboard () at keyboard.c:56
#10 0x3590 in main (argc=2, argv=0xefbfda38) at main.c:158


>How-To-Repeat:

	See above.

>Fix:
	
	

>Release-Note:
>Audit-Trail:

From: "Kenneth D. Merry" <ken@plutotech.com>
To: dg@smp.root.com
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/8086: "systat -iostat" coredumps when displaying too much history
Date: Tue, 29 Sep 1998 16:21:02 -0600 (MDT)

 David Greenman wrote...
 > >Description:
 > 
 > 	"systat -iostat" (numbers mode) will coredump inside the curses
 > 	library if the number of lines of 'history' exceeds 7 lines when
 > 	using a large screen/window size. In my particular case, 128x44,
 > 	with a total of 7 devices being displayed. The traceback looks
 > 	like this:
 > 
 > #0  0x20026551 in __set_subwin ()
 > #1  0x20025c1a in wrefresh ()
 > #2  0x20024bf4 in wrefresh ()
 > #3  0x37f6 in display (signo=14) at main.c:207
 > #4  <signal handler called>
 > #5  0x200afaea in read ()
 > #6  0x2009da4d in __srefill ()
 > #7  0x2009d90a in __srget ()
 > #8  0x2002302d in wgetch ()
 > #9  0x2fde in keyboard () at keyboard.c:56
 > #10 0x3590 in main (argc=2, argv=0xefbfda38) at main.c:158
 
 I saw this when I was porting systat to use the devstat code.  It appears
 to be some sort of curses problem, but I'm really not sure.  It could also
 be a result of some weird memory leak in the devstat library somewhere.
 
 I think it is actually related to showing two or more rows of devices,
 which happens when you're displaying more than 3 devices.
 
 I'm really swamped at the moment, and I probably won't be able to look at
 this for a while.  (after 3.0 at the least)  If someone else wants to try
 to track this down, please feel free.  If the problem trail leads down into
 the devstat code, I'll be glad to try and help you debug it.  (I don't know
 anything about curses, so I won't be of much use there.)
 
 Ken
 -- 
 Kenneth Merry
 ken@plutotech.com

From: Tor.Egge@fast.no
To: dg@smp.root.com
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/8086: "systat -iostat" coredumps when displaying too much history
Date: Sat, 03 Oct 1998 20:49:13 +0200

 When wrefresh() is called with a subwindow as argument, __set_subwin
 might be called with reversed arguments if wrefresh() decides to calls
 quickch().  This may cause use of negative array indexes, with a 
 resulting segfault.
 
 Since quickch() manipulates the line structures belonging to curscr,
 it looks like all subwindows of curscr should be updated.
 
 Index: refresh.c
 ===================================================================
 RCS file: /home/ncvs/src/lib/libcurses/refresh.c,v
 retrieving revision 1.13
 diff -u -r1.13 refresh.c
 --- refresh.c	1996/07/12 18:56:05	1.13
 +++ refresh.c	1998/10/03 18:23:39
 @@ -682,8 +682,8 @@
  		 * Need to repoint any subwindow lines to the rotated
  		 * line structured.
  		 */
 -		for (wp = win->nextp; wp != win; wp = wp->nextp)
 -			__set_subwin(win, wp);
 +		for (wp = curscr->nextp; wp != curscr; wp = wp->nextp)
 +			__set_subwin(wp->orig, wp);
  	}
  }
  
 
 - Tor Egge
State-Changed-From-To: open->closed 
State-Changed-By: ken 
State-Changed-When: Mon Oct 12 09:51:51 PDT 1998 
State-Changed-Why:  
I checked in Tor's patch in revision 1.14 of src/lib/libcurses/refresh.c. 


Responsible-Changed-From-To: freebsd-bugs->ken 
Responsible-Changed-By: ken 
Responsible-Changed-When: Mon Oct 12 09:51:51 PDT 1998 
Responsible-Changed-Why:  
I checked in the patch. 
>Unformatted:
