From: Eli Zaretskii <eliz@gnu.org>
To: Po Lu <luangruo@yahoo.com>
Cc: gerd.moellmann@gmail.com, 58334@debbugs.gnu.org
Subject: bug#58334: 29.0.50; ASAN heap use after free in gui_produce_glyphs
Date: Fri, 07 Oct 2022 10:03:50 +0300 [thread overview]
Message-ID: <83v8ownmi1.fsf@gnu.org> (raw)
In-Reply-To: <87mta8qx48.fsf@yahoo.com> (bug-gnu-emacs@gnu.org)
> Cc: 58334@debbugs.gnu.org
> Date: Fri, 07 Oct 2022 08:46:15 +0800
> From: Po Lu via "Bug reports for GNU Emacs,
> the Swiss army knife of text editors" <bug-gnu-emacs@gnu.org>
>
> Gerd Möllmann <gerd.moellmann@gmail.com> writes:
>
> > #0 0x1033f2ca8 in wrap_malloc+0x94 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3eca8)
> > #1 0x1005af4f4 in lmalloc alloc.c:1361
> > #2 0x1005af40c in xmalloc alloc.c:751
> > #3 0x1003f92b4 in make_realized_face xfaces.c:4471
> > #4 0x1003f5c00 in realize_gui_face xfaces.c:6023
> > #5 0x1003e4000 in realize_face xfaces.c:5954
>
> [...]
>
> > #14 0x1005592d8 in Fvertical_motion indent.c:2241
>
> I'm pretty sure the right fix is to block input around realize_face and
> Fvertical_motion, since that code is clearly not reentrant.
Why isn't Fvertical_motion reentrant?
Anyway, the problem is not that realize_face was interrupted, the
problem is that the face realized above was later freed as a side
effect of calling redisplay. And the display code (which is invoked
by Fvertical_motion) almost everywhere assumes that FACE_FROM_ID will
never yield a freed face, it just returns
FRAME_FACE_CACHE (f)->faces_by_id[id]
without checking whether ID is beyond the limit of the frame's current
face cache. The assertion there is not compiled in a production
build. (Gerd, was your build with --enable-checking?)
So if the frame's face cache can be freed like that as a side effect
of maybe_quit, we'll have to introduce cache checking into
FACE_FROM_ID, and if the ID is not in the cache do whatever it takes
to correct the situation.
IOW, I don't see how block_input anywhere can solve this particular
problem.
next prev parent reply other threads:[~2022-10-07 7:03 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-06 15:03 bug#58334: 29.0.50; ASAN heap use after free in gui_produce_glyphs Gerd Möllmann
2022-10-06 16:00 ` Eli Zaretskii
2022-10-06 18:01 ` Gerd Möllmann
2022-10-06 18:30 ` Eli Zaretskii
2022-10-06 18:36 ` Gerd Möllmann
2022-10-07 12:01 ` Eli Zaretskii
2022-10-07 12:03 ` Gerd Möllmann
2022-10-07 12:06 ` Eli Zaretskii
2022-10-07 12:08 ` Gerd Möllmann
2022-10-07 12:12 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-07 12:16 ` Eli Zaretskii
2022-10-07 12:23 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-07 12:14 ` Eli Zaretskii
2022-10-07 12:34 ` Gerd Möllmann
2022-10-07 0:37 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-07 5:06 ` Gerd Möllmann
2022-10-07 7:12 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-07 7:20 ` Gerd Möllmann
2022-10-07 0:46 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-07 5:23 ` Gerd Möllmann
2022-10-07 7:03 ` Eli Zaretskii [this message]
2022-10-07 7:20 ` Gerd Möllmann
2022-10-07 8:07 ` Gerd Möllmann
2022-10-07 8:36 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-07 8:54 ` Gerd Möllmann
2022-10-07 10:28 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-07 11:11 ` Gerd Möllmann
2022-10-07 11:19 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-07 11:34 ` Eli Zaretskii
2022-10-07 11:38 ` Gerd Möllmann
2022-10-07 11:29 ` Eli Zaretskii
2022-10-07 12:16 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-07 12:27 ` Eli Zaretskii
2022-10-07 11:19 ` Eli Zaretskii
2022-10-07 11:34 ` Gerd Möllmann
2022-10-07 11:13 ` Eli Zaretskii
2022-10-07 11:08 ` Eli Zaretskii
2022-10-07 11:29 ` Gerd Möllmann
2022-10-07 11:44 ` Eli Zaretskii
2022-10-07 12:01 ` Gerd Möllmann
2022-10-07 12:05 ` Eli Zaretskii
2022-10-07 12:14 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-07 12:17 ` Gerd Möllmann
2022-10-07 12:22 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-07 12:36 ` Gerd Möllmann
2022-10-08 6:58 ` Gerd Möllmann
2022-10-08 7:59 ` Eli Zaretskii
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=83v8ownmi1.fsf@gnu.org \
--to=eliz@gnu.org \
--cc=58334@debbugs.gnu.org \
--cc=gerd.moellmann@gmail.com \
--cc=luangruo@yahoo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).