GNU bug report logs -
#56095
29.0.50; nsterm.m, use after free
Previous Next
Reported by: Gerd Möllmann <gerd.moellmann <at> gmail.com>
Date: Sun, 19 Jun 2022 15:18:01 UTC
Severity: normal
Found in version 29.0.50
Done: Eli Zaretskii <eliz <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your message dated Wed, 22 Jun 2022 16:53:31 +0300
with message-id <837d58kdno.fsf <at> gnu.org>
and subject line Re: bug#56095: 29.0.50; nsterm.m, use after free
has caused the debbugs.gnu.org bug report #56095,
regarding 29.0.50; nsterm.m, use after free
to be marked as done.
(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)
--
56095: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=56095
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
So, I'm trying Emacs on MacOS now, get some non-reproducible
crashes, built master with ASAN, and the first thing it found is this:
==61522==ERROR: AddressSanitizer: heap-use-after-free on address 0x00012d7deb90 at pc 0x0001008c1514 bp 0x00016fdf7230 sp 0x00016fdf7228
WRITE of size 8 at 0x00012d7deb90 thread T0
==61522==WARNING: Can't read from symbolizer at fd 25
==61522==WARNING: Can't read from symbolizer at fd 26
==61522==WARNING: Can't read from symbolizer at fd 27
==61522==WARNING: Can't read from symbolizer at fd 28
==61522==WARNING: Failed to use and restart external symbolizer!
#0 0x1008c1510 in wset_vertical_scroll_bar+0x4c (/Users/gerd/repos/emacs/src/emacs:arm64+0x1008c1510)
#1 0x1008c19a0 in -[EmacsScroller judge]+0x360 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1008c19a0)
#2 0x1008d641c in ns_judge_scroll_bars+0x224 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1008d641c)
#3 0x1000fa4ec in redisplay_internal+0x4ca4 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1000fa4ec)
...
0x00012d7deb90 is located 656 bytes inside of 4096-byte region [0x00012d7de900,0x00012d7df900)
freed by thread T0 here:
#0 0x1031c7c94 in wrap_free+0x98 (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/13.1.6/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3fc94)
#1 0x1009aec74 in rpl_free+0x7c (/Users/gerd/repos/emacs/src/emacs:arm64+0x1009aec74)
#2 0x100598488 in xfree+0x38 (/Users/gerd/repos/emacs/src/emacs:arm64+0x100598488)
#3 0x1005bad4c in sweep_vectors+0x2f4 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1005bad4c)
#4 0x1005acf58 in gc_sweep+0x20 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1005acf58)
#5 0x1005ab1a4 in garbage_collect+0x9f0 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1005ab1a4)
#6 0x1005aa720 in maybe_garbage_collect+0x28 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1005aa720)
#7 0x100641714 in maybe_gc+0x54 (/Users/gerd/repos/emacs/src/emacs:arm64+0x100641714)
#8 0x10063a9f0 in Ffuncall+0x3c8 (/Users/gerd/repos/emacs/src/emacs:arm64+0x10063a9f0)
#9 0x10063d468 in internal_condition_case_n+0x1d4 (/Users/gerd/repos/emacs/src/emacs:arm64+0x10063d468)
#10 0x1000d52b8 in safe__call+0x16a8 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1000d52b8)
#11 0x1000d3b60 in safe_call+0x164 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1000d3b60)
#12 0x1000d542c in safe_call1+0x28 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1000d542c)
#13 0x10019c5b8 in handle_fontified_prop+0xb04 (/Users/gerd/repos/emacs/src/emacs:arm64+0x10019c5b8)
#14 0x100196e0c in handle_stop+0x324 (/Users/gerd/repos/emacs/src/emacs:arm64+0x100196e0c)
#15 0x1001a9294 in next_element_from_buffer+0xa18 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1001a9294)
#16 0x1000a639c in get_next_display_element+0x29c (/Users/gerd/repos/emacs/src/emacs:arm64+0x1000a639c)
#17 0x10011344c in display_line+0x1dd4 (/Users/gerd/repos/emacs/src/emacs:arm64+0x10011344c)
#18 0x1001104e4 in try_window+0x564 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1001104e4)
#19 0x1001e6c28 in redisplay_window+0x70e0 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1001e6c28)
...
previously allocated by thread T0 here:
#0 0x1031c7b58 in wrap_malloc+0x94 (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/13.1.6/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3fb58)
#1 0x100598138 in lmalloc+0x44 (/Users/gerd/repos/emacs/src/emacs:arm64+0x100598138)
#2 0x100598054 in xmalloc+0x40 (/Users/gerd/repos/emacs/src/emacs:arm64+0x100598054)
#3 0x1005b28f4 in allocate_vector_block+0x20 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1005b28f4)
#4 0x1005b2640 in allocate_vector_from_block+0x2a0 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1005b2640)
#5 0x1005a4c54 in allocate_vectorlike+0x70 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1005a4c54)
#6 0x1005a4b40 in allocate_pseudovector+0x38 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1005a4b40)
#7 0x1002838cc in allocate_window+0x18 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1002838cc)
#8 0x100288a78 in make_parent_window+0x3c (/Users/gerd/repos/emacs/src/emacs:arm64+0x100288a78)
#9 0x100287508 in Fsplit_window_internal+0xbc0 (/Users/gerd/repos/emacs/src/emacs:arm64+0x100287508)
...
That is, EmacsScroller modifies a struct window that has already been
free'd during a GC that was triggered during redisplay.
AFAICS, EmacsScroller is part of ns_display_info and hold a pointer to a
struct window. AFAICS, nothing is marking that window during GC, so...
Sorry, no patch because I don't really know what I'm doing ;-).
[Message part 3 (message/rfc822, inline)]
> Cc: 56095 <at> debbugs.gnu.org
> Date: Wed, 22 Jun 2022 09:30:08 +0800
> From: Po Lu via "Bug reports for GNU Emacs,
> the Swiss army knife of text editors" <bug-gnu-emacs <at> gnu.org>
>
> Gerd Möllmann <gerd.moellmann <at> gmail.com> writes:
>
> > Please find a patch for that attached.
>
> LGTM, thanks.
Thanks, I installed this on master (after adding the bug number to the
commit log message).
Btw, Gerd, I think you still have write access to the project's
repository, so in principle you could install changes yourself.
(If that doesn't work, let me know.)
This bug report was last modified 3 years and 48 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.