bug#71693: 30.0.50, SIGSEGV in FRAME_TTY (sf) in redisplay_internal

bug#71693: 30.0.50, SIGSEGV in FRAME_TTY (sf) in redisplay_internal

[Daniel Clemente]

I enabled -fsanitize. I'm using an X terminal to run TTY Emacs inside.
I opened the daemon inside gdb with emacs --fg-daemon -Q

I saw this crash just by opening a few frames like
xterm -e "emacsclient" "-c" "-e" '(dired "~")'
And closing them.
But I don't have an exact reproduction formula.

It seems that sf contains bad data, i.e. it doesn't represent frame data.

The 2 times I randomly saw this crash, I tried to dump the core with
gdb, and it started creating a huge file of many Gb until I stopped
it.


[Detaching after fork from child process 5364]
xdisp.c:16932:10: runtime error: member access within null pointer of
type 'struct terminal'

Program received signal SIGSEGV, Segmentation fault.
0x0000555556610d93 in redisplay_internal () at xdisp.c:16932
16932          && FRAME_TTY (sf)->previous_frame != sf)
(gdb) bt
#0  0x0000555556610d93 in redisplay_internal () at xdisp.c:16932
#1  0x000055555660d9e1 in redisplay () at xdisp.c:16562
#2  0x00005555569aab1e in read_char (commandflag=1,
    map=XIL(0x7ffff1882cb3), prev_event=XIL(0),
    used_mouse_menu=0x7fffffffd4b0, end_time=0x0)
    at keyboard.c:2678
#3  0x00005555569e9ca2 in read_key_sequence (
    keybuf=0x7fffffffd7a0, prompt=XIL(0),
    dont_downcase_last=false, can_return_switch_frame=true,
    fix_current_buffer=true, prevent_redisplay=false,
    disable_text_conversion_p=false) at keyboard.c:10728
#4  0x000055555699b122 in command_loop_1 () at keyboard.c:1429
#5  0x0000555556cbb678 in internal_condition_case (
    bfun=0x55555699a22d <command_loop_1>, handlers=XIL(0x90),
    hfun=0x555556998204 <cmd_error>) at eval.c:1613
#6  0x0000555556999797 in command_loop_2 (handlers=XIL(0x90))
    at keyboard.c:1168
#7  0x0000555556cb84d8 in internal_catch (tag=XIL(0xfb40),
    func=0x555556999767 <command_loop_2>, arg=XIL(0x90))
    at eval.c:1292
#8  0x000055555699969a in command_loop () at keyboard.c:1146
#9  0x0000555556996e7a in recursive_edit_1 () at keyboard.c:754
#10 0x0000555556997531 in Frecursive_edit () at keyboard.c:837
#11 0x0000555556989057 in main (argc=5, argv=0x7fffffffdea8)
    at emacs.c:2629

Lisp Backtrace:
"redisplay_internal (C function)" (0x0)
(gdb) list
16927         can't reuse current matrices in this case.  */
16928      if (face_change)
16929        windows_or_buffers_changed = 47;
16930
16931      if ((FRAME_TERMCAP_P (sf) || FRAME_MSDOS_P (sf))
16932          && FRAME_TTY (sf)->previous_frame != sf)
16933        {
16934          /* Since frames on a single ASCII terminal share the same
16935         display area, displaying a different frame means redisplay
16936         the whole thing.  */
(gdb) p sf
$1 = (struct frame *) 0x6210000ef9b0
(gdb) p FRAME_TTY(sf)
Cannot access memory at address 0x50
(gdb) p *sf
$2 = {
  header = {
    size = 4611686018595348501
  },
  name = XIL(0x6190000ecba4),
  icon_name = XIL(0),
  title = XIL(0),
  last_mouse_device = XIL(0),
  focus_frame = XIL(0),
  root_window = XIL(0),
  selected_window = XIL(0x62100033936d),
  old_selected_window = XIL(0x62100033936d),
  minibuffer_window = XIL(0x621000122e1d),
  param_alist = XIL(0x7fffeaa65a13),
  scroll_bars = XIL(0),
  condemned_scroll_bars = XIL(0),
  menu_bar_items = XIL(0x621000344895),
  face_hash_table = XIL(0x6210002470ad),
  menu_bar_vector = XIL(0),
  buffer_predicate = XIL(0),
  buffer_list = XIL(0),
  buried_buffer_list = XIL(0),
  tool_bar_position = XIL(0xfab0),
  tab_bar_items = XIL(0),
  tool_bar_items = XIL(0),
  face_cache = 0x0,
  last_tab_bar_item = 0,
  menu_bar_items_used = 0,
  current_pool = 0x0,
--Type <RET> for more, q to quit, c to continue without paging--
  desired_pool = 0x0,
  desired_matrix = 0x0,
  current_matrix = 0x0,
  glyphs_initialized_p = false,
  resized_p = false,
  default_face_done_p = false,
  already_hscrolled_p = true,
  updated_p = true,
  fonts_changed = false,
  cursor_type_changed = false,
  redisplay = false,
  visible = 0,
  iconified = false,
  garbaged = false,
  wants_modeline = true,
  auto_raise = false,
  auto_lower = false,
  no_split = false,
  explicit_name = false,
  window_change = false,
  window_state_change = false,
  mouse_moved = false,
  pointer_invisible = false,
  frozen_window_starts = false,
  output_method = output_termcap,
  can_set_window_size = true,
  after_make_frame = true,
  tab_bar_redisplayed = false,
  tab_bar_resized = false,
--Type <RET> for more, q to quit, c to continue without paging--
  tool_bar_redisplayed = false,
  tool_bar_resized = false,
  inhibit_horizontal_resize = false,
  inhibit_vertical_resize = false,
  face_change = false,
  inhibit_clear_image_cache = false,
  new_size_p = false,
  was_invisible = false,
  select_mini_window_flag = false,
  change_stamp = 18,
  number_of_windows = 3,
  tab_bar_lines = 0,
  tab_bar_height = 0,
  n_tab_bar_rows = 0,
  n_tab_bar_items = 0,
  tool_bar_lines = 0,
  tool_bar_height = 0,
  n_tool_bar_rows = 0,
  n_tool_bar_items = 0,
  decode_mode_spec_buffer = 0x615000034600 "\0328",
  insert_line_cost = 0x6120002593c0,
  delete_line_cost = 0x612000259840,
  insert_n_lines_cost = 0x6120002596c0,
  delete_n_lines_cost = 0x612000259540,
  text_cols = 118,
  text_lines = 64,
  text_width = 118,
  text_height = 64,
  total_cols = 118,
--Type <RET> for more, q to quit, c to continue without paging--
  total_lines = 65,
  pixel_width = 118,
  pixel_height = 65,
  new_width = -1,
  new_height = -1,
  left_pos = 0,
  top_pos = 0,
  win_gravity = 0,
  size_hint_flags = 0,
  border_width = 0,
  child_frame_border_width = 0,
  internal_border_width = 0,
  right_divider_width = 0,
  bottom_divider_width = 0,
  left_fringe_width = 0,
  right_fringe_width = 0,
  fringe_cols = 0,
  menu_bar_lines = 1,
  menu_bar_height = 1,
  column_width = 1,
  line_height = 1,
  terminal = 0x0,
  output_data = {
    tty = 0x602000062770,
    x = 0x602000062770,
    w32 = 0x602000062770,
    ns = 0x602000062770,
    pgtk = 0x602000062770,
    haiku = 0x602000062770,
--Type <RET> for more, q to quit, c to continue without paging--
    android = 0x602000062770
  },
  font_driver_list = 0x0,
  desired_cursor = FILLED_BOX_CURSOR,
  cursor_width = 0,
  blink_off_cursor = FILLED_BOX_CURSOR,
  blink_off_cursor_width = 0,
  config_scroll_bar_width = 0,
  config_scroll_bar_cols = 0,
  config_scroll_bar_height = 0,
  config_scroll_bar_lines = 0,
  cost_calculation_baud_rate = 38400,
  alpha = {0, 0},
  alpha_background = 0,
  gamma = 0,
  extra_line_spacing = 0,
  background_pixel = 18446744073709551613,
  foreground_pixel = 18446744073709551614
}
(gdb)

(gdb) pp sf
#<SOME_LISP_OBJECT 0x6210000ef9b0>
(gdb)
(gdb) p sf->output_data
$3 = {
  tty = 0x602000062770,
  x = 0x602000062770,
  w32 = 0x602000062770,
  ns = 0x602000062770,
  pgtk = 0x602000062770,
  haiku = 0x602000062770,
  android = 0x602000062770
}
(gdb) p sf->output_data->tty
$4 = (struct tty_output *) 0x602000062770
(gdb) xpr
Lisp_Symbol
$5 = (struct Lisp_Symbol *) 0xb57558f9a470
Cannot access memory at address 0xb57558f9a478
(gdb)



In GNU Emacs 30.0.50 (build 14, x86_64-pc-linux-gnu) of 2024-06-14 built
 on sonn
Repository revision: 5ecff95993d5edbffb27e14c2815d2b23003bcb4
Repository branch: master
System Description: Devuan GNU/Linux 5 (daedalus)

Configured using:
 'configure --prefix=/opt/dc/emacs/ --without-dbus --with-tiff=no
 --without-tiff --without-libsystemd --without-dbus --with-mailutils
 --without-modules --with-native-compilation --with-x-toolkit=no
 --without-imagemagick --without-xft --without-harfbuzz
 --without-freetype --without-libotf --without-xwidgets --without-xpm
 --without-jpeg --without-gif --without-png --without-webp
 --without-rsvg --without-cairo --without-x --without-sound
 --enable-checking=yes,glyphs --enable-profiling 'CFLAGS=-g3 -O0
 -static-libasan
 -fsanitize=undefined,address,bounds-strict,float-cast-overflow ''

Configured features:
GMP GNUTLS LCMS2 LIBSELINUX LIBXML2 NATIVE_COMP NOTIFY INOTIFY PDUMPER
SECCOMP SQLITE3 THREADS XIM ZLIB

Important settings:
  value of $LANG: en_US.UTF-8
  value of $XMODIFIERS: @im=SCIM
  locale-coding-system: utf-8-unix

Major mode: Dired by name

Minor modes in effect:
  server-mode: t
  tooltip-mode: t
  global-eldoc-mode: t
  show-paren-mode: t
  electric-indent-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  minibuffer-regexp-mode: t
  buffer-read-only: t
  line-number-mode: t
  indent-tabs-mode: t
  transient-mark-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t

Load-path shadows:
None found.

Features:
(shadow sort hashcash mail-extr compile comint ansi-osc ansi-color ring
tool-bar comp-run comp-common rx emacsbug message mailcap yank-media
puny rfc822 mml mml-sec password-cache epa derived epg rfc6068
epg-config gnus-util text-property-search time-date subr-x mm-decode
mm-bodies mm-encode mail-parse rfc2231 mailabbrev gmm-utils mailheader
sendmail rfc2047 rfc2045 ietf-drums mm-util mail-prsvr mail-utils pp
dired-aux cl-loaddefs cl-lib regexp-opt dired dnd dired-loaddefs
term/rxvt term/xterm xterm byte-opt gv bytecomp byte-compile server rmc
iso-transl tooltip cconv eldoc paren electric uniquify ediff-hook
vc-hooks lisp-float-type elisp-mode tabulated-list replace newcomment
text-mode lisp-mode prog-mode register page tab-bar menu-bar rfn-eshadow
isearch easymenu timer select mouse jit-lock font-lock syntax font-core
term/tty-colors frame minibuffer nadvice seq simple cl-generic
indonesian philippine cham georgian utf-8-lang misc-lang vietnamese
tibetan thai tai-viet lao korean japanese eucjp-ms cp51932 hebrew greek
romanian slovak czech european ethiopic indian cyrillic chinese
composite emoji-zwj charscript charprop case-table epa-hook
jka-cmpr-hook help abbrev obarray oclosure cl-preloaded button loaddefs
theme-loaddefs faces cus-face macroexp files window text-properties
overlay sha1 md5 base64 format env code-pages mule custom widget keymap
hashtable-print-readable backquote threads inotify lcms2 multi-tty
make-network-process native-compile emacs)

Memory information:
((conses 16 79584 11221) (symbols 48 7260 1) (strings 32 19579 4136)
 (string-bytes 1 555627) (vectors 16 9521)
 (vector-slots 8 101397 9175) (floats 8 33 8255)
 (intervals 56 2255 14) (buffers 984 14))

bug#71693: 30.0.50, SIGSEGV in FRAME_TTY (sf) in redisplay_internal

[Eli Zaretskii]

> From: Daniel Clemente <n142857@gmail.com>
> Date: Fri, 21 Jun 2024 10:46:58 +0000
> 
> I enabled -fsanitize. I'm using an X terminal to run TTY Emacs inside.
> I opened the daemon inside gdb with emacs --fg-daemon -Q

Did you follow the advice and notes in etc/DEBUG regarding runn ing
Emacs compiled with this option?

> [Detaching after fork from child process 5364]
> xdisp.c:16932:10: runtime error: member access within null pointer of
> type 'struct terminal'
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x0000555556610d93 in redisplay_internal () at xdisp.c:16932
> 16932          && FRAME_TTY (sf)->previous_frame != sf)

If the claim is that sf->terminal is a NULL pointer, then how come we
don't segfault when running a build without -fsanitize?

bug#71693: 30.0.50, SIGSEGV in FRAME_TTY (sf) in redisplay_internal

[Daniel Clemente]

> >
> > I enabled -fsanitize. I'm using an X terminal to run TTY Emacs inside.
> > I opened the daemon inside gdb with emacs --fg-daemon -Q
>
> Did you follow the advice and notes in etc/DEBUG regarding runn ing
> Emacs compiled with this option?

I missed some things. For instance I used this:

  -fsanitize=undefined,address,bounds-strict,float-cast-overflow ''

But I didn't notice this:

Address sanitization is incompatible with undefined-behavior
sanitization, unfortunately


If you want me to enable just one for next reports, please tell me
which one. For now I think I'll disable the whole -fsanitize, because
of the false positives.


>
> > [Detaching after fork from child process 5364]
> > xdisp.c:16932:10: runtime error: member access within null pointer of
> > type 'struct terminal'
> >
> > Program received signal SIGSEGV, Segmentation fault.
> > 0x0000555556610d93 in redisplay_internal () at xdisp.c:16932
> > 16932          && FRAME_TTY (sf)->previous_frame != sf)
>
> If the claim is that sf->terminal is a NULL pointer, then how come we
> don't segfault when running a build without -fsanitize?

Even with -fsanitize, it didn't crash each time, just this particular time.

I have seen similar crashes in redisplay code even without -fsanitize,
but none at this particular line and none doing something as simple as
opening and closing 3 frames.

I also thought that maybe I had enabled so many debug options (-O0,
-fsanitize, …) that my emacs become slower and therefore more prone to
errors that depend on timing, like things happening at specific points
of the frame opening and closing code.

But this report may be bogus and you may close it if it seems so.