GNU bug report logs - #58042
29.0.50; ASAN use-after-free in re_match_2_internal

Previous Next

Full log

Message #110 received at 58042 <at> debbugs.gnu.org (full text, mbox):

From: Po Lu <luangruo <at> yahoo.com>
To: Gerd Möllmann <gerd.moellmann <at> gmail.com>
Cc: Eli Zaretskii <eliz <at> gnu.org>, 58042 <at> debbugs.gnu.org,
 Alan Third <alan <at> idiocy.org>
Subject: Re: bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
Date: Wed, 05 Oct 2022 20:05:07 +0800

Gerd Möllmann <gerd.moellmann <at> gmail.com> writes:

> Po Lu <luangruo <at> yahoo.com> writes:
>
>> I'm going to guess that window_sub_list is returning a window that was
>> not marked during GC.  It's a problem that also exists with my
>> incremental garbage collector.  Does this help?
>>
>> diff --git a/src/alloc.c b/src/alloc.c
>> index 419c5e558b..522925d248 100644
>> --- a/src/alloc.c
>> +++ b/src/alloc.c
>> @@ -6634,6 +6634,9 @@ mark_window (struct Lisp_Vector *ptr)
>>        mark_glyph_matrix (w->desired_matrix);
>>      }
>>  
>> +  if (w->next)
>> +    mark_window (w->next);
>> +
>>    /* Filter out killed buffers from both buffer lists
>>       in attempt to help GC to reclaim killed buffers faster.
>>       We can do it elsewhere for live windows, but this is the
>
> Indeed, that seems to work!

Could you please replace that code with:

  if (!NILP (w->next)
      && !vectorlike_marked_p (&XWINDOW (w->next)->header))
    emacs_abort ();

And see if Emacs ever aborts?

I just remembered that the old garbage collector does not work the same
way as the one in my branch, so that bug shouldn't be possible.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.