nimble-commander
nimble-commander copied to clipboard
Published
20 hours ago •
mikekazakov
mikekazakov
[Bug]: OOB access in term::ScreenBuffer::LineFromNo
Confirmation
- [X] I have read the contributing guidelines
Version of Nimble Commander
v1.7, macOS15
Distribution Type
Downloaded from GitHub (nightly and test workflows)
Expected Result
No out-of-bounds access happens.
Actual Result
In Debug build, libc++ triggers an assertion from the hardened mode: _LIBCPP_ASSERT_VALID_ELEMENT_ACCESS(__n < size(), "vector[] index out of bounds");
Steps to reproduce
- Start debugging NC with Xcode.
- Run any long-running console program that outputs much text, e.g.
Scripts/run_clang_tidy.sh. - Start actively resizing NC's window in the process.
- Observe the abort with the following call stack:
#0 0x00000001895aa600 in __pthread_kill ()
#1 0x0000000104cb7fa8 in pthread_kill ()
#2 0x00000001894ef908 in abort ()
#3 0x0000000100cc613c in std::__1::vector<nc::term::ScreenBuffer::Space, std::__1::allocator<nc::term::ScreenBuffer::Space>>::operator[][abi:de180100] at /Applications/Xcode_16_0.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX15.0.sdk/usr/include/c++/v1/vector:1393
#4 0x0000000100cc5fe8 in nc::term::ScreenBuffer::LineFromNo at /Users/migun/Documents/NimbleCommander/nimblecommander/Source/Term/source/ScreenBuffer.cpp:60
#5 0x0000000100cc5db0 in nc::term::ScreenBuffer::LineFromNo at /Users/migun/Documents/NimbleCommander/nimblecommander/Source/Term/source/ScreenBuffer.cpp:46
#6 0x0000000100cbbeb4 in -[NCTermView visibleLinesHaveBlinkingCharacters] at /Users/migun/Documents/NimbleCommander/nimblecommander/Source/Term/source/View.mm:1029
#7 0x0000000100cbbd2c in -[NCTermView scanForBlinkingCharacters] at /Users/migun/Documents/NimbleCommander/nimblecommander/Source/Term/source/View.mm:1005
#8 0x0000000100cb4d90 in -[NCTermView drawRect:] at /Users/migun/Documents/NimbleCommander/nimblecommander/Source/Term/source/View.mm:267
#9 0x000000018d3200c8 in _NSViewDrawRect ()
#10 0x000000018dca95a8 in -[NSView _recursive:displayRectIgnoringOpacity:inContext:stopAtLayerBackedViews:] ()
#11 0x000000018d31fabc in -[NSView(NSLayerKitGlue) _drawViewBackingLayer:inContext:drawingHandler:] ()
#12 0x000000018d96ed40 in -[NSViewBackingLayer drawInContext:] ()
#13 0x000000018d55f650 in ___lldb_unnamed_symbol164358 ()
#14 0x000000018d60d34c in ___lldb_unnamed_symbol167667 ()
#15 0x000000018d6088b4 in ___lldb_unnamed_symbol167590 ()
#16 0x000000018d60cf2c in ___lldb_unnamed_symbol167666 ()
#17 0x000000018d60aa9c in ___lldb_unnamed_symbol167636 ()
#18 0x000000018d674ddc in ___lldb_unnamed_symbol169691 ()
#19 0x000000018d67518c in ___lldb_unnamed_symbol169693 ()
#20 0x000000018d96e96c in -[NSViewBackingLayer display] ()
#21 0x000000019211281c in CA::Layer::display_if_needed ()
#22 0x000000019229fea4 in CA::Context::commit_transaction ()
#23 0x00000001920f4db0 in CA::Transaction::commit ()
#24 0x000000018d32f3e8 in __62+[CATransaction(NSCATransaction) NS_setFlushesWithDisplayLink]_block_invoke ()
#25 0x000000018dceae8c in ___NSRunLoopObserverCreateWithHandler_block_invoke ()
#26 0x00000001896c97a8 in __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ ()
#27 0x00000001896c9694 in __CFRunLoopDoObservers ()
#28 0x00000001896c8cc4 in __CFRunLoopRun ()
#29 0x00000001896c8334 in CFRunLoopRunSpecific ()
#30 0x0000000194b000cc in RunCurrentEventLoopInMode ()
#31 0x0000000194b05d1c in ReceiveNextEventCommon ()
#32 0x0000000194b06020 in _BlockUntilNextEventMatchingListInModeWithFilter ()
#33 0x000000018d20ba70 in _DPSNextEvent ()
#34 0x000000018db317b8 in -[NSApplication(NSEventRouting) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] ()
#35 0x0000000100fd6d14 in -[Application nextEventMatchingMask:untilDate:inMode:dequeue:] at /Users/migun/Documents/NimbleCommander/nimblecommander/Source/NimbleCommander/NimbleCommander/Bootstrap/Application.mm:33
#36 0x000000018d4e0724 in -[NSWindow(NSWindowResizing) _resizeWithEvent:] ()
#37 0x000000018d4024b0 in -[NSTitledFrame attemptResizeWithEvent:] ()
#38 0x000000018d4022c8 in -[NSThemeFrame handleMouseDown:] ()
#39 0x000000018d4776dc in -[NSThemeFrame mouseDown:] ()
#40 0x000000018d3a76ec in -[NSWindow(NSEventRouting) _handleMouseDownEvent:isDelayedEvent:] ()
#41 0x000000018d333044 in -[NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:] ()
#42 0x000000018d332cf4 in -[NSWindow(NSEventRouting) sendEvent:] ()
#43 0x000000018db3059c in -[NSApplication(NSEventRouting) sendEvent:] ()
#44 0x0000000100fd6b40 in -[Application sendEvent:] at /Users/migun/Documents/NimbleCommander/nimblecommander/Source/NimbleCommander/NimbleCommander/Bootstrap/Application.mm:19
#45 0x000000018d743984 in -[NSApplication _handleEvent:] ()
#46 0x000000018d1feba4 in -[NSApplication run] ()
#47 0x000000018d1d544c in NSApplicationMain ()
#48 0x00000001008e6438 in main at /Users/migun/Documents/NimbleCommander/nimblecommander/Source/NimbleCommander/NimbleCommander/Bootstrap/main.cpp:11
#49 0x0000000189260274 in start ()
Additional Information
Likely this issue has been lurking in the code for a very long time, but now the libc++'s hardened mode has caught it.
