bug#56553: 29.0.50; ASAN error with fringe bitmaps on NS

["Gerd Möllmann" <gerd.moellmann@gmail.com>]

> On 2022-07-14,, at 15:56 , Eli Zaretskii <eliz@gnu.org> wrote:
> 
>> From: Gerd Möllmann <gerd.moellmann@gmail.com>
>> Date: Thu, 14 Jul 2022 15:03:36 +0200
>> 
>> This is a Spacemacs profile, with a lot of fringe bitmaps.  The error
>> happens right after hitting 'q' on the startup screen, when the first
>> fringe bitmap is displayed.
>> 
>> thread #1: tid = 0x3d47c, 0x0000000103dc4870 libclang_rt.asan_osx_dynamic.dylib`__asan::AsanDie(), queue = 'com.apple.main-thread', stop reason = Heap buffer overflow
>> 
>> {
>>  "access_size": 2,
>>  "access_type": 0,
>>  "address": 4402845816,
>>  "description": "heap-buffer-overflow",
>>  "instrumentation_class": "AddressSanitizer",
>>  "pc": 4313240244,
>>  "stop_type": "fatal_error"
>> }
>> 
>> frame #5: 0x000000010116d2b4 emacs`ns_define_fringe_bitmap(which=27, bits=0x00000001066e1860, h=12, w=16) at nsterm.m:2906:20
>>   2903	        /* XBM rows are always round numbers of bytes, with any unused
>>   2904	           bits ignored.  */
>>   2905	        int byte = y * (w/8 + (w%8 ? 1 : 0)) + x/8;
>> -> 2906	        bool bit = bits[byte] & (0x80 >> x%8);
>>   2907	        if (bit)
>>   2908	          [p appendBezierPathWithRect:NSMakeRect (x, y, 1, 1)];
>>   2909	      }
>> (lldb) p byte
>> (int) $22 = 12
>> 
>> frame #6: 0x0000000101079128 emacs`init_fringe_bitmap(which=27, fb=0x00000001066e1850, once_p=0) at fringe.c:1520:2
>>   1517	      destroy_fringe_bitmap (which);
>>   1518	
>>   1519	      if (rif && rif->define_fringe_bitmap)
>> -> 1520		rif->define_fringe_bitmap (which, fb->bits, fb->height, fb->width);
>>   1521	
>>   1522	      fringe_bitmaps[which] = fb;
>>   1523	      if (which >= max_used_fringe_bitmap)
>> (lldb) p *fb
>> (fringe_bitmap) $21 = {
>>  bits = 0x00000001066e1860
>>  height = 12
>>  width = 16
>>  period = 0
>>  align = 0
>>  dynamic = true
>> }
> 
> I don't understand this.  What is the dimension of the bits[] array?
> It is supposed to be 12 * 2, so how come the index 12 causes access
> violation?

I don't understand this either, but it's not an access violation, it's an out-of-bounds access of an allocated memory object, AFAIU.

How do you come to the 12 * 2?  Is that in bytes?  I'm asking because, confusingly for me, the bits in frame #5 is unsigned short *.  (height * width) / sizeof(char) would be 12*2...

> 
> Who is the caller of init_fringe_bitmap in this case?

frame #7: 0x0000000101078558 emacs`Fdefine_fringe_bitmap(bitmap=-> (struct Lisp_Symbol *) $33 = 0x00000001232c81a0, bits=-> (struct Lisp_Vector *) $37 = 0x000000014efefc70, height=-> (struct Lisp_Symbol *) $40 = 0x0000000101b04020, width=-> (EMACS_INT) $42 = 16, align=-> (struct Lisp_Symbol *) $45 = 0x0000000101b04020) at fringe.c:1660:3
   1657	
   1658	  *xfb = fb;
   1659	
-> 1660	  init_fringe_bitmap (n, xfb, 0);
   1661	
   1662	  return bitmap;
   1663	}

(lldb) frame variable
(Lisp_Object) bitmap = -> (struct Lisp_Symbol *) $18 = 0x00000001232c81a0 {
  i = 0x00000000217c4180
}
(Lisp_Object) bits = -> (struct Lisp_Vector *) $22 = 0x000000014efefc70 {
  i = 0x000000014efefc75
}
(Lisp_Object) height = -> (struct Lisp_Symbol *) $25 = 0x0000000101b04020 {
  i = NULL
}
(Lisp_Object) width = -> (EMACS_INT) $27 = 16 {
  i = 0x0000000000000042
}
(Lisp_Object) align = -> (struct Lisp_Symbol *) $30 = 0x0000000101b04020 {
  i = NULL
}
(int) n = 27
(int) h = 12
(int) i = 0
(int) j = 12
(unsigned short *) b = 0x00000001066e6320
(fringe_bitmap) fb = {
  bits = 0x00000001066e6320
  height = 12
  width = 16
  period = 0
  align = 0
  dynamic = true
}
(fringe_bitmap *) xfb = 0x00000001066e6310
(int) fill1 = 0
(int) fill2 = 0

(lldb) p $18->u.s.name 
(Lisp_Object) $58 = -> (struct Lisp_String *) $60 = 0x000000012279d880 {
  i = 0x000000012279d884
}

(lldb) p $60->u.s
(Lisp_String::(unnamed struct)) $61 = {
  size = 42
  size_byte = 42
  intervals = NULL
  data = 0x0000000150832190 "flycheck-fringe-bitmap-double-arrow-hi-res"
}