GNU bug report logs -
#71694
30.0.50; heap-use-after-free in tty_defined_color
Previous Next
Reported by: Daniel Clemente <n142857 <at> gmail.com>
Date: Fri, 21 Jun 2024 10:48:02 UTC
Severity: normal
Merged with 71693
Found in version 30.0.50
Done: Stefan Kangas <stefankangas <at> gmail.com>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your bug report
#71694: 30.0.50; heap-use-after-free in tty_defined_color
which was filed against the emacs package, has been closed.
The explanation is attached below, along with your original report.
If you require more details, please reply to 71694 <at> debbugs.gnu.org.
--
71694: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=71694
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
Daniel Clemente <n142857 <at> gmail.com> writes:
> On Fri, 21 Jun 2024 at 14:22, Eli Zaretskii <eliz <at> gnu.org> wrote:
>>
>> > From: Daniel Clemente <n142857 <at> gmail.com>
>> > Date: Fri, 21 Jun 2024 10:47:01 +0000
>> >
>> > I enabled -fsanitize. I'm using an X terminal to run TTY Emacs inside.
>> > I opened the daemon inside gdb with emacs --fg-daemon -Q
>> >
>> > I don't remember what exactly I was doing here, but it only involved
>> > slowly opening 2 or 3 terminals like this
>> > urxvt -e "emacsclient" "-c" "-e" '(dired "~")'
>> > and then I might have opened 2 or 3 with this (in the same session)
>> > xterm -e "emacsclient" "-c" "-e" '(dired "~")'
>> > Plus switching between them and closing them.
>> > However that's not a reproduction formula, it's just what I was doing
>> > when this crash randomly happened. I don't know how to reproduce this
>> > yet.
>> >
>> > =================================================================
>> > ==9677==ERROR: AddressSanitizer: heap-use-after-free on address
>> > 0x625000123b30 at pc 0x55555695b2c9 bp 0x7fffffff9900 sp
>> > 0x7fffffff98f8
>> > READ of size 1 at 0x625000123b30 thread T0
>> > #0 0x55555695b2c8 in tty_defined_color /w/emacs/src/xfaces.c:1115
>>
>> I think this is bogus: -fsanitize doesn't understand the Emacs memory
>> management, in particular what's going in GC when we relocate strings.
>>
>
> I also used -fsanitize=undefined,address,bounds-strict,float-cast-overflow
> without realizing that undefined+address seem to be incompatible;
> sorry.
>
> This -fsanitize „not understanding“ memory management could be
> explained in etc/DEBUG. But this seems advanced so I guess developers
> should just get more experience in Emacs memory management before
> enabling this.
>
> (You can close it you want).
It seems like the outstanding questions here were resolved.
I'm therefore closing this bug report.
>
>> In any case, the line numbers seem off: line 1115 of xfaces.c is a
>> comment. Are your sources in sync with the Git repository?
>
> My sources were synchronized but my build was a few weeks old:
> d9512da49514623ef3e35524dc894c06f2c0ce20
>
> Line 1115 of xfaces.c was:
> if (color_def->pixel == FACE_TTY_DEFAULT_COLOR && *color_name)
> in this context:
>
> /* Defaults. */
> color_def->pixel = FACE_TTY_DEFAULT_COLOR;
> color_def->red = 0;
> color_def->blue = 0;
> color_def->green = 0;
>
> if (*color_name)
> status = tty_lookup_color (f, build_string (color_name), color_def, NULL);
>
> if (color_def->pixel == FACE_TTY_DEFAULT_COLOR && *color_name)
> {
> if (strcmp (color_name, "unspecified-fg") == 0)
> color_def->pixel = FACE_TTY_DEFAULT_FG_COLOR;
> else if (strcmp (color_name, "unspecified-bg") == 0)
> color_def->pixel = FACE_TTY_DEFAULT_BG_COLOR;
> }
[Message part 3 (message/rfc822, inline)]
This bug report was last modified 164 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.