GNU bug report logs - #71694
30.0.50; heap-use-after-free in tty_defined_color

Previous Next

Package: emacs;

Reported by: Daniel Clemente <n142857 <at> gmail.com>

Date: Fri, 21 Jun 2024 10:48:02 UTC

Severity: normal

Merged with 71693

Found in version 30.0.50

Done: Stefan Kangas <stefankangas <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #6 received at 71694 <at> debbugs.gnu.org (full text, mbox):

From: Daniel Clemente <n142857 <at> gmail.com>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: 71694 <at> debbugs.gnu.org
Subject: Re: bug#71694: 30.0.50; heap-use-after-free in tty_defined_color
Date: Wed, 26 Jun 2024 13:29:08 +0000

On Fri, 21 Jun 2024 at 14:22, Eli Zaretskii <eliz <at> gnu.org> wrote:
>
> > From: Daniel Clemente <n142857 <at> gmail.com>
> > Date: Fri, 21 Jun 2024 10:47:01 +0000
> >
> > I enabled -fsanitize. I'm using an X terminal to run TTY Emacs inside.
> > I opened the daemon inside gdb with emacs --fg-daemon -Q
> >
> > I don't remember what exactly I was doing here, but it only involved
> > slowly opening 2 or 3 terminals like this
> > urxvt -e "emacsclient" "-c" "-e" '(dired "~")'
> > and then I might have opened 2 or 3 with this (in the same session)
> > xterm -e "emacsclient" "-c" "-e" '(dired "~")'
> > Plus switching between them and closing them.
> > However that's not a reproduction formula, it's just what I was doing
> > when this crash randomly happened. I don't know how to reproduce this
> > yet.
> >
> > =================================================================
> > ==9677==ERROR: AddressSanitizer: heap-use-after-free on address
> > 0x625000123b30 at pc 0x55555695b2c9 bp 0x7fffffff9900 sp
> > 0x7fffffff98f8
> > READ of size 1 at 0x625000123b30 thread T0
> >     #0 0x55555695b2c8 in tty_defined_color /w/emacs/src/xfaces.c:1115
>
> I think this is bogus: -fsanitize doesn't understand the Emacs memory
> management, in particular what's going in GC when we relocate strings.
>

I also used -fsanitize=undefined,address,bounds-strict,float-cast-overflow
without realizing that undefined+address seem to be incompatible;
sorry.

This -fsanitize „not understanding“ memory management could be
explained in etc/DEBUG. But this seems advanced so I guess developers
should just get more experience in Emacs memory management before
enabling this.

(You can close it you want).

> In any case, the line numbers seem off: line 1115 of xfaces.c is a
> comment.  Are your sources in sync with the Git repository?

My sources were synchronized but my build was a few weeks old:
d9512da49514623ef3e35524dc894c06f2c0ce20

Line 1115 of xfaces.c was:
  if (color_def->pixel == FACE_TTY_DEFAULT_COLOR && *color_name)
in this context:

  /* Defaults.  */
  color_def->pixel = FACE_TTY_DEFAULT_COLOR;
  color_def->red = 0;
  color_def->blue = 0;
  color_def->green = 0;

  if (*color_name)
    status = tty_lookup_color (f, build_string (color_name), color_def, NULL);

  if (color_def->pixel == FACE_TTY_DEFAULT_COLOR && *color_name)
    {
      if (strcmp (color_name, "unspecified-fg") == 0)
    color_def->pixel = FACE_TTY_DEFAULT_FG_COLOR;
      else if (strcmp (color_name, "unspecified-bg") == 0)
    color_def->pixel = FACE_TTY_DEFAULT_BG_COLOR;
    }
This bug report was last modified 164 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.