GNU bug report logs -
#58042
29.0.50; ASAN use-after-free in re_match_2_internal
Previous Next
Reported by: Gerd Möllmann <gerd.moellmann <at> gmail.com>
Date: Sat, 24 Sep 2022 13:46:01 UTC
Severity: normal
Found in version 29.0.50
Fixed in version 29.1
Done: Gerd Möllmann <gerd.moellmann <at> gmail.com>
Bug is archived. No further changes may be made.
Full log
Message #194 received at 58042 <at> debbugs.gnu.org (full text, mbox):
>>> Isn't the -[EmacsView layoutSublayersOfLayer:] the problem? AFAICT from
>>> a web search, this is an event handler method that is also called from
>>> by the framework?
>>>
>>> In the olden days, it was a serious error to call into Lisp from an
>>> event handler. All bets were off when that happened, not only related
>>> to GC. I believe that hasn't changed much.
>
> Today, event handling code calls Lisp all the time (through safe_call
> etc.) That happens in handle_one_xevent, ns_select, et cetera.
Really?
> It shouldn't affect GC at all because input is blocked for the entire
> duration of each GC, except for when finalizers are run after unmarked
> objects are sweeped.
The problem was not if it's run from within the GC, the problem was what
this code does when *it* runs the GC (or other state-changing functions).
[ And indeed, the fix Gerd installed was to prevent GC while running
pending_signals. But I suspect this is not sufficient because there
are other forms of global state that can get messed up. ]
In bug#62732 we have a related problem when code run from `maybe_quit`
(an atimer in that case) from the regexp engine, and that atimer
itself performs a regexp-operation, which messes up the outer regexp
engine invocation because the regexp engine is still not re-entrant (in
that bug, the problem is the `gl_state` global variable).
Stefan
This bug report was last modified 2 years and 73 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.