bug#56369: 29.0.50; abort-redisplay: Crash after 'recenter'

bug#56369: 29.0.50; abort-redisplay: Crash after 'recenter'

[Florian Rommel]

[-- Attachment #1: Type: text/plain, Size: 535 bytes --]

Tags: patch

I get a crash caused by a failed free() [see attached backtrace] when
running vterm [1] which calls 'recenter' from a loaded module.
With gdb, in 'safe_free' I see that the address of the to-be-freed
arguments array (allocated in 'module_funcall') is off by one word.

I don't know the details of the specpdl stack but I assume that there
is a missing 'ubind_to' in 'recenter' before an early return.  When I
add it (see the attached patch) the problem is gone.

[1] https://github.com/akermu/emacs-libvterm


[-- Attachment #2: backtrace.txt --]
[-- Type: text/plain, Size: 4896 bytes --]

free(): invalid pointer

Thread 1 "emacs" received signal SIGABRT, Aborted.
0x00007ffff591936c in ?? () from /usr/lib/libc.so.6
>>> bt
#0  0x00007ffff591936c in  () at /usr/lib/libc.so.6
#1  0x00007ffff58c9838 in raise () at /usr/lib/libc.so.6
#2  0x00007ffff58b3535 in abort () at /usr/lib/libc.so.6
#3  0x00007ffff590d45e in  () at /usr/lib/libc.so.6
#4  0x00007ffff59230cc in  () at /usr/lib/libc.so.6
#5  0x00007ffff5924f6c in  () at /usr/lib/libc.so.6
#6  0x00007ffff59278f3 in free () at /usr/lib/libc.so.6
#7  0x00005555556ee6f5 in xfree (block=<optimized out>) at alloc.c:810
#8  0x000055555575179c in safe_free (sa_count=...) at /home/flo/git/emacs/src/lisp.h:5339
#9  module_funcall (env=0x7fffffff97d0, func=0x555558381bf0, nargs=1, args=0x7fffffff9670) at emacs-module.c:673
#10 0x00007fffeae56f9b in recenter (env=0x7fffffff97d0, pos=0x7fffffff9a98) at /home/flo/.emacs.d/elpa/vterm-20220613.1614/elisp.c:147
#11 0x00007fffeae51c78 in adjust_topline (term=0x5555585d2df0, env=0x7fffffff97d0) at /home/flo/.emacs.d/elpa/vterm-20220613.1614/vterm-module.c:503
#12 0x00007fffeae51ffe in term_redraw (term=0x5555585d2df0, env=0x7fffffff97d0) at /home/flo/.emacs.d/elpa/vterm-20220613.1614/vterm-module.c:584
#13 0x00007fffeae54e05 in Fvterm_redraw (env=0x7fffffff97d0, nargs=1, args=0x7fffffff97a0, data=0x0) at /home/flo/.emacs.d/elpa/vterm-20220613.1614/vterm-module.c:1310
#14 0x000055555575353a in funcall_module (function=0x55555851696d, nargs=1, arglist=0x7ffff123a148) at emacs-module.c:1184
#15 0x0000555555762c0e in exec_byte_code (fun=<optimized out>, args_template=<optimized out>, nargs=<optimized out>, args=<optimized out>) at bytecode.c:811
#16 0x0000555555717696 in Ffuncall (nargs=nargs@entry=1, args=args@entry=0x7fffffffaa50) at eval.c:2958
#17 0x0000555555751772 in module_funcall (env=0x7fffffffabb0, func=0x55555836b798, nargs=0, args=0x0) at emacs-module.c:672
#18 0x00007fffeae574d2 in vterm_invalidate (env=0x7fffffffabb0) at /home/flo/.emacs.d/elpa/vterm-20220613.1614/elisp.c:199
#19 0x00007fffeae54d7c in Fvterm_update (env=0x7fffffffabb0, nargs=1, args=0x7fffffffab80, data=0x0) at /home/flo/.emacs.d/elpa/vterm-20220613.1614/vterm-module.c:1301
#20 0x000055555575353a in funcall_module (function=0x55555850f1e5, nargs=1, arglist=0x7ffff123a088) at emacs-module.c:1184
#21 0x0000555555762c0e in exec_byte_code (fun=<optimized out>, args_template=<optimized out>, nargs=<optimized out>, args=<optimized out>) at bytecode.c:811
#22 0x0000555555717696 in Ffuncall (nargs=3, args=0x7fffffffbe30) at eval.c:2958
#23 0x0000555555719010 in Fapply (nargs=nargs@entry=2, args=args@entry=0x7fffffffbed0) at eval.c:2629
#24 0x0000555555719381 in apply1 (fn=<optimized out>, arg=<optimized out>) at eval.c:2845
#25 0x0000555555715fd4 in internal_condition_case_1 (bfun=bfun@entry=0x5555557656c0 <read_process_output_call>, arg=0x5555561bfb13, handlers=handlers@entry=0x90, hfun=hfun@entry=0x555555765600 <read_process_output_error_handler>) at eval.c:1509
#26 0x00005555557682a7 in read_and_dispose_of_process_output (coding=<optimized out>, nbytes=150, chars=0x7fffffffbf30 "\033[1m\033[7m%\033[27m\033[1m\033[0m", ' ' <repeats 125 times>, "\r \r", p=<optimized out>) at process.c:6237
#27 read_process_output (proc=proc@entry=0x555555fdd34d, channel=channel@entry=14) at process.c:6147
#28 0x000055555576f9c1 in wait_reading_process_output (time_limit=time_limit@entry=30, nsecs=nsecs@entry=0, read_kbd=read_kbd@entry=-1, do_display=do_display@entry=true, wait_for_cell=wait_for_cell@entry=0x0, wait_proc=wait_proc@entry=0x0, just_wait_proc=0) at process.c:5831
#29 0x00005555555ac5b0 in sit_for (timeout=timeout@entry=0x7a, reading=reading@entry=true, display_option=display_option@entry=1) at dispnew.c:6238
#30 0x0000555555698e07 in read_char (commandflag=1, map=0x55555615e683, prev_event=0x0, used_mouse_menu=0x7fffffffda1b, end_time=0x0) at /home/flo/git/emacs/src/lisp.h:760
#31 0x0000555555699ca3 in read_key_sequence (keybuf=<optimized out>, prompt=0x0, dont_downcase_last=<optimized out>, can_return_switch_frame=true, fix_current_buffer=true, prevent_redisplay=false) at keyboard.c:9947
#32 0x000055555569bb7d in command_loop_1 () at keyboard.c:1391
#33 0x0000555555715f47 in internal_condition_case (bfun=bfun@entry=0x55555569b990 <command_loop_1>, handlers=handlers@entry=0x90, hfun=hfun@entry=0x55555568eb40 <cmd_error>) at eval.c:1485
#34 0x00005555556876c6 in command_loop_2 (handlers=handlers@entry=0x90) at keyboard.c:1132
#35 0x0000555555715ea1 in internal_catch (tag=tag@entry=0xf630, func=func@entry=0x5555556876a0 <command_loop_2>, arg=arg@entry=0x90) at eval.c:1208
#36 0x0000555555687661 in command_loop () at keyboard.c:1110
#37 0x000055555568e6c2 in recursive_edit_1 () at keyboard.c:719
#38 0x000055555568ea50 in Frecursive_edit () at keyboard.c:802
#39 0x00005555555a1875 in main (argc=<optimized out>, argv=0x7fffffffe018) at emacs.c:2517

[-- Attachment #3: 0001-abort-redisplay-Add-missing-unbind_to-in-recenter.patch --]
[-- Type: text/x-patch, Size: 675 bytes --]

From b09b6f96accf2212482eab6795ba6f74583a39e3 Mon Sep 17 00:00:00 2001
From: Florian Rommel <mail@florommel.de>
Date: Sun, 3 Jul 2022 17:04:32 +0200
Subject: [PATCH] abort-redisplay: Add missing unbind_to in 'recenter'

* src/window.c (recenter): Add ubind_to before early return.
---
 src/window.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/window.c b/src/window.c
index ad03a02758..af463b90ce 100644
--- a/src/window.c
+++ b/src/window.c
@@ -6667,6 +6667,7 @@ DEFUN ("recenter", Frecenter, Srecenter, 0, 2, "P\np",
 	  if (h <= 0)
 	    {
 	      bidi_unshelve_cache (itdata, false);
+	      unbind_to (count, Qnil);
 	      return Qnil;
 	    }
 
-- 
2.37.0

bug#56369: 29.0.50; abort-redisplay: Crash after 'recenter'

[Eli Zaretskii]

> From: Florian Rommel <mail@florommel.de>
> Date: Sun, 03 Jul 2022 17:55:50 +0200
> 
> I get a crash caused by a failed free() [see attached backtrace] when
> running vterm [1] which calls 'recenter' from a loaded module.
> With gdb, in 'safe_free' I see that the address of the to-be-freed
> arguments array (allocated in 'module_funcall') is off by one word.
> 
> I don't know the details of the specpdl stack but I assume that there
> is a missing 'ubind_to' in 'recenter' before an early return.  When I
> add it (see the attached patch) the problem is gone.

Thanks, installed.

bug#56369: 29.0.50; abort-redisplay: Crash after 'recenter'

[Eli Zaretskii]

Closing.