GNU bug report logs - #58334
29.0.50; ASAN heap use after free in gui_produce_glyphs

Previous Next

Full log

Message #8 received at 58334 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Gerd Möllmann <gerd.moellmann <at> gmail.com>
Cc: 58334 <at> debbugs.gnu.org
Subject: Re: bug#58334: 29.0.50; ASAN heap use after free in gui_produce_glyphs
Date: Thu, 06 Oct 2022 19:00:50 +0300

> From: Gerd Möllmann <gerd.moellmann <at> gmail.com>
> Date: Thu, 06 Oct 2022 17:03:17 +0200
> 
> This is again on my local branch based on master.  Recent fixes for ASAN
> are contained in that branch.  It seems to be pretty good at producing
> this...
> 
> ==19549==ERROR: AddressSanitizer: heap-use-after-free on address 0x0001393095c0 at pc 0x000100144340 bp 0x00016fdc16b0 sp 0x00016fdc16a8
> READ of size 4 at 0x0001393095c0 thread T0
>     #0 0x10014433c in gui_produce_glyphs xdisp.c:31875
>     #1 0x1000a8bc0 in move_it_in_display_line_to xdisp.c:9813
>     #2 0x10009a5c0 in move_it_to xdisp.c:10373
>     #3 0x1000dcbac in move_it_vertically_backward xdisp.c:10745
>     #4 0x100089ca4 in move_it_by_lines xdisp.c:10940
>     #5 0x10055a7a4 in Fvertical_motion indent.c:2381

Sigh...

> The problem here, it seems to me, is that the redisplay done in
> -[EmacsView layoutSublayersOfLayer:] nsterm.m:8675, frees realized faces
> at a moment that the code doesn't cannot expect.

Right.

> I'm too lazy too look further.  I'm pretty sure the story goes pretty
> much like what we had before with relocating strings.
> 
> Is there a way to prevent freeing realized faces?

Yes: set inhibit_free_realized_faces non-zero (and record
unwind_protect to restore it).

It sounds like we need to do that in probably_quit, at least for NS
builds, because it could trigger redisplay, sigh...

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.