Package: emacs;
Reported by: Mark Oteiza <mvoteiza <at> udel.edu>
Date: Wed, 29 Oct 2014 15:32:01 UTC
Severity: important
Merged with 16427
Found in version 25.0.50
Done: Paul Eggert <eggert <at> cs.ucla.edu>
Bug is archived. No further changes may be made.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Mark Oteiza <mvoteiza <at> udel.edu> To: bug-gnu-emacs <at> gnu.org Subject: 25.0.50; build fails with ASan enabled Date: Wed, 29 Oct 2014 11:31:17 -0400
Hi,
For debugging another project, I resorted to using gcc's address
sanitizer to help track down a bug, and it actually helped find others
along the way. I came across a crash in emacs and decided to build
trunk with the address sanitizer enabled.
The build failed with this output on Arch Linux. The build config is
the same as below except without optimization and with
-fsanitize=address in CFLAGS and LDFLAGS.
Loading /tmp/makepkg/emacs-git/src/emacs/lisp/tooltip.el (source)...
Finding pointers to doc strings...
Finding pointers to doc strings...done
Dumping under the name emacs
=================================================================
==6778==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000cf9d70 at pc 0x7ffff6f2fd1a bp 0x7fffffffc6a0 sp 0x7fffffffbe48
READ of size 3601184 at 0x000000cf9d70 thread T0
#0 0x7ffff6f2fd19 in __interceptor_memcpy.part.38 (/usr/lib/libasan.so.1+0x2fd19)
#1 0x91421d in unexec /tmp/makepkg/emacs-git/src/emacs/src/unexelf.c:1060
#2 0x7304f1 in Fdump_emacs /tmp/makepkg/emacs-git/src/emacs/src/emacs.c:2116
#3 0x88066e in eval_sub /tmp/makepkg/emacs-git/src/emacs/src/eval.c:2181
#4 0x8778e3 in Fprogn /tmp/makepkg/emacs-git/src/emacs/src/eval.c:455
#5 0x880106 in eval_sub /tmp/makepkg/emacs-git/src/emacs/src/eval.c:2128
#6 0x87751a in Fif /tmp/makepkg/emacs-git/src/emacs/src/eval.c:406
#7 0x880106 in eval_sub /tmp/makepkg/emacs-git/src/emacs/src/eval.c:2128
#8 0x8dbabf in readevalloop /tmp/makepkg/emacs-git/src/emacs/src/lread.c:1966
#9 0x8d89d3 in Fload /tmp/makepkg/emacs-git/src/emacs/src/lread.c:1361
#10 0x880767 in eval_sub /tmp/makepkg/emacs-git/src/emacs/src/eval.c:2192
#11 0x87f587 in Feval /tmp/makepkg/emacs-git/src/emacs/src/eval.c:1993
#12 0x734663 in top_level_2 /tmp/makepkg/emacs-git/src/emacs/src/keyboard.c:1206
#13 0x87c2b4 in internal_condition_case /tmp/makepkg/emacs-git/src/emacs/src/eval.c:1344
#14 0x734703 in top_level_1 /tmp/makepkg/emacs-git/src/emacs/src/keyboard.c:1214
#15 0x87ab0c in internal_catch /tmp/makepkg/emacs-git/src/emacs/src/eval.c:1105
#16 0x734448 in command_loop /tmp/makepkg/emacs-git/src/emacs/src/keyboard.c:1175
#17 0x732d58 in recursive_edit_1 /tmp/makepkg/emacs-git/src/emacs/src/keyboard.c:786
#18 0x7330f4 in Frecursive_edit /tmp/makepkg/emacs-git/src/emacs/src/keyboard.c:857
#19 0x72e5d9 in main /tmp/makepkg/emacs-git/src/emacs/src/emacs.c:1623
#20 0x7ffff0bc903f in __libc_start_main (/usr/lib/libc.so.6+0x2003f)
#21 0x413818 (/tmp/makepkg/emacs-git/src/emacs/src/temacs+0x413818)
0x000000cf9d70 is located 0 bytes to the right of global variable 'Sredraw_frame' from 'dispnew.c' (0xcf9d40) of size 48
0x000000cf9d70 is located 48 bytes to the left of global variable 'Sredraw_display' from 'dispnew.c' (0xcf9da0) of size 48
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 __interceptor_memcpy.part.38
Shadow bytes around the buggy address:
0x000080197350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080197360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080197370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080197380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080197390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000801973a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f9]f9
0x0000801973b0: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
0x0000801973c0: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0000801973d0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9
0x0000801973e0: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
0x0000801973f0: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==6778==ABORTING
Makefile:833: recipe for target 'bootstrap-emacs' failed
make[1]: *** [bootstrap-emacs] Error 1
make[1]: Leaving directory '/tmp/makepkg/emacs-git/src/emacs/src'
Makefile:380: recipe for target 'src' failed
make: *** [src] Error 2
In GNU Emacs 25.0.50.1 (x86_64-unknown-linux-gnu, X toolkit, Xaw scroll bars)
of 2014-10-28 on logos
Configured using:
`configure --prefix=/usr --sysconfdir=/etc --libexecdir=/usr/lib
--localstatedir=/var --with-x-toolkit=lucid 'CFLAGS=-march=x86-64
-mtune=generic -O2 -pipe -fstack-protector-strong
--param=ssp-buffer-size=4 -g -fvar-tracking-assignments'
CPPFLAGS=-D_FORTIFY_SOURCE=2
LDFLAGS=-Wl,-O2,--sort-common,--as-needed,-z,relro'
Configured features:
XPM JPEG TIFF GIF PNG RSVG IMAGEMAGICK SOUND GPM DBUS GSETTINGS NOTIFY
ACL GNUTLS LIBXML2 FREETYPE M17N_FLT LIBOTF XFT ZLIB
Important settings:
value of $LC_COLLATE: C
value of $LANG: en_US.UTF-8
locale-coding-system: utf-8-unix
Major mode: Lisp Interaction
Minor modes in effect:
flycheck-mode: t
company-mode: t
show-paren-mode: t
savehist-mode: t
winner-mode: t
tooltip-mode: t
global-eldoc-mode: t
electric-indent-mode: t
mouse-wheel-mode: t
file-name-shadow-mode: t
global-font-lock-mode: t
font-lock-mode: t
auto-composition-mode: t
auto-encryption-mode: t
auto-compression-mode: t
size-indication-mode: t
column-number-mode: t
line-number-mode: t
Recent input:
ESC [ > 8 4 ; 0 ; 0 c ESC x r e p o TAB r TAB RET
Recent messages:
Loading /home/mvo/.cache/emacs/custom.el (source)...done
Loading /home/mvo/.emacs.d/site-lisp/loaddefs.el (source)...done
For information about GNU Emacs and the GNU system, type C-h C-a.
Making completion list...
Load-path shadows:
/usr/share/emacs/25.0.50/lisp/loaddefs hides /home/mvo/.emacs.d/site-lisp/loaddefs
/usr/share/emacs/25.0.50/lisp/env hides /home/mvo/.emacs.d/site-lisp/expand-region/features/support/env
Features:
(shadow sort gnus-util mail-extr emacsbug message idna dired format-spec
rfc822 mml mml-sec mm-decode mm-bodies mm-encode mail-parse rfc2231
mailabbrev gmm-utils mailheader sendmail rfc2047 rfc2045 ietf-drums
mm-util help-fns mail-prsvr mail-utils xterm flycheck find-func
help-mode rx easymenu subr-x pcase dash company-files company-oddmuse
company-keywords company-etags etags company-gtags company-dabbrev-code
company-dabbrev company-capf company-cmake company-ropemacs
company-xcode company-clang company-semantic company-eclim
company-template company-css company-nxml company-bbdb company package
epg-config windmove edmacro kmacro cl-loaddefs cl-lib saveplace paren
time-date savehist winner ring zenburn-theme tooltip eldoc electric
uniquify ediff-hook vc-hooks lisp-float-type mwheel x-win x-dnd tool-bar
dnd fontset image regexp-opt fringe tabulated-list newcomment elisp-mode
lisp-mode prog-mode register page menu-bar rfn-eshadow timer select
scroll-bar mouse jit-lock font-lock syntax facemenu font-core frame cham
georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao
korean japanese hebrew greek romanian slovak czech european ethiopic
indian cyrillic chinese case-table epa-hook jka-cmpr-hook help simple
abbrev minibuffer nadvice loaddefs button faces cus-face macroexp files
text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget hashtable-print-readable backquote make-network-process
dbusbind gfilenotify dynamic-setting system-font-setting
font-render-setting x-toolkit x multi-tty emacs)
Memory information:
((conses 16 116916 5465)
(symbols 48 21555 0)
(miscs 40 59 98)
(strings 32 25050 6012)
(string-bytes 1 669887)
(vectors 16 17375)
(vector-slots 8 1131936 209498)
(floats 8 93 614)
(intervals 56 234 0)
(buffers 976 12)
(heap 1024 46990 1175))
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.