Description
yabai -m config layout stack silently crashes (segfault) when a space contains more than 32 manageable windows.
Root cause
view_stack_window_node() in src/view.c:730 writes into fixed-size arrays (window_list and window_order) of NODE_MAX_WINDOW_COUNT (32) elements with no bounds check. When window_count exceeds 32, the memmove calls and array writes overflow the buffer, corrupt the window_node struct, and cause a segfault.
How to reproduce
- Open 33+ windows on a single space (e.g., Chrome windows)
- Run
yabai -m config layout stack
- yabai crashes silently — no error message, the process just dies
A common scenario: after a macOS restart, Chrome restores all its windows onto a single space. With 40-50+ Chrome windows this reliably triggers the crash.
Suggested fix
- Increase
NODE_MAX_WINDOW_COUNT (e.g., to 128)
- Add a bounds check in
view_stack_window_node() to return failure when the limit is reached
- Handle the failure in callers (
view_add_window_node_with_insertion_point)
Environment
- macOS 26 Tahoe
- yabai v7.1.17
Description
yabai -m config layout stacksilently crashes (segfault) when a space contains more than 32 manageable windows.Root cause
view_stack_window_node()insrc/view.c:730writes into fixed-size arrays (window_listandwindow_order) ofNODE_MAX_WINDOW_COUNT(32) elements with no bounds check. Whenwindow_countexceeds 32, thememmovecalls and array writes overflow the buffer, corrupt thewindow_nodestruct, and cause a segfault.How to reproduce
yabai -m config layout stackA common scenario: after a macOS restart, Chrome restores all its windows onto a single space. With 40-50+ Chrome windows this reliably triggers the crash.
Suggested fix
NODE_MAX_WINDOW_COUNT(e.g., to 128)view_stack_window_node()to return failure when the limit is reachedview_add_window_node_with_insertion_point)Environment