From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Gerd =?UTF-8?Q?M=C3=B6llmann?= Newsgroups: gmane.emacs.bugs Subject: bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal Date: Sun, 25 Sep 2022 10:28:48 +0200 Message-ID: References: <835yhcom6g.fsf@gnu.org> <831qs0okx4.fsf@gnu.org> <83mtaom0a9.fsf@gnu.org> <83illbnafh.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="35414"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (darwin) Cc: 58042@debbugs.gnu.org To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sun Sep 25 10:29:10 2022 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ocN0f-0008uQ-Vi for geb-bug-gnu-emacs@m.gmane-mx.org; Sun, 25 Sep 2022 10:29:10 +0200 Original-Received: from localhost ([::1]:42802 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ocN0e-0002Jz-MM for geb-bug-gnu-emacs@m.gmane-mx.org; Sun, 25 Sep 2022 04:29:08 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:55988) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ocN0Y-0002Jm-Gg for bug-gnu-emacs@gnu.org; Sun, 25 Sep 2022 04:29:02 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:46770) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ocN0Y-0005vq-4v for bug-gnu-emacs@gnu.org; Sun, 25 Sep 2022 04:29:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ocN0Y-0003Un-10 for bug-gnu-emacs@gnu.org; Sun, 25 Sep 2022 04:29:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Gerd =?UTF-8?Q?M=C3=B6llmann?= Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 25 Sep 2022 08:29:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 58042 X-GNU-PR-Package: emacs Original-Received: via spool by 58042-submit@debbugs.gnu.org id=B58042.166409453913431 (code B ref 58042); Sun, 25 Sep 2022 08:29:01 +0000 Original-Received: (at 58042) by debbugs.gnu.org; 25 Sep 2022 08:28:59 +0000 Original-Received: from localhost ([127.0.0.1]:45848 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ocN0V-0003UZ-Gb for submit@debbugs.gnu.org; Sun, 25 Sep 2022 04:28:59 -0400 Original-Received: from mail-ed1-f41.google.com ([209.85.208.41]:38732) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ocN0S-0003UH-9q for 58042@debbugs.gnu.org; Sun, 25 Sep 2022 04:28:58 -0400 Original-Received: by mail-ed1-f41.google.com with SMTP id 30so5313337edw.5 for <58042@debbugs.gnu.org>; Sun, 25 Sep 2022 01:28:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:from:to:cc:subject:date; bh=yMn+sg2PYJaj85kki3QDwuBo1BRxYykWhSJwouN/C04=; b=RiedE73yWIjdvYZBdQ+UkXpZykPovHUJ0vAZz3qWoEegsRXtpS0dWTYbh98ThlkGY1 ffzramyzuvBU4oMQFpmM/RFDLg7TOPgCzsjS7LRzQo/8gUD6AFAMWOlfmadvd5bWaWu0 zo17v1kWFQV0nYHPsbLQ+lPhmtwq3rgbvk4xY2EDnbLv9OCoRt6T3/LHQCSy+2psoojE T6aDI19570p6nNe/Mvj6gKFD3z3wnK9pIDRigVjZ7Hp+OYA0q88cB2b/2RsZMktuAj/k Xfv2LjVzcYlcBqpk+qr0EHpuCO6mhK5vadMUrZDOPertgiSqwCTIJ83qLM9dDZK9wyBI ipAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:user-agent:message-id:date :references:in-reply-to:subject:cc:to:from:x-gm-message-state:from :to:cc:subject:date; bh=yMn+sg2PYJaj85kki3QDwuBo1BRxYykWhSJwouN/C04=; b=DtbicuDYkM6+GZJYhTrTwKEBW9VqS1e724yMasY+k9tOI5Nezv1e8MQlUJdEAoQXmR IX1b5LneRCL14iMuvZy5V5Re6jISlbKIMefthk9sD+5XQbjcC98/qfkuTUPM8e01O/dN XUsI/6nxrJCfoB7I+r2lp2//ctO0+jHab7J5PqjJ1c7xZTDwUFmvRM0H4LFS1S9HmK3/ GVv0galj1/zH6WWp6AaRHfY63CeYhoUOFGZoJjze/ftCRixlkFonqJVIgOjMtSXJBB/R tJigp4iKC77GxuELDux1ubt4Z5Va9on3jRp+27+2Ry/bDDqJTJxNq6FLf93GcMw/daXh pSSg== X-Gm-Message-State: ACrzQf2FTRk6ReKulNLbBfSMJmGKeL81YDy9AwDeLl8ez6U+4iMC35Xa 6Wgzm7D/V2EylilSnUNi58FJj/1FNG4= X-Google-Smtp-Source: AMsMyM6RYGByMmkGcStWsdrXRCfbTglBD0cEZeAOOUQTdhQeft7ccsmFo9CKIWAAcA7doJNUeF+XKQ== X-Received: by 2002:aa7:da08:0:b0:456:ea2b:3ce3 with SMTP id r8-20020aa7da08000000b00456ea2b3ce3mr7741464eds.181.1664094530002; Sun, 25 Sep 2022 01:28:50 -0700 (PDT) Original-Received: from Mini.fritz.box (pd9e362ca.dip0.t-ipconnect.de. [217.227.98.202]) by smtp.gmail.com with ESMTPSA id ed6-20020a056402294600b0045722259584sm1222466edb.86.2022.09.25.01.28.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 25 Sep 2022 01:28:49 -0700 (PDT) In-Reply-To: <83illbnafh.fsf@gnu.org> (Eli Zaretskii's message of "Sun, 25 Sep 2022 11:08:18 +0300") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:243578 Archived-At: Eli Zaretskii writes: >> From: Gerd M=C3=B6llmann >> Cc: 58042@debbugs.gnu.org >> Date: Sun, 25 Sep 2022 09:06:59 +0200 >>=20 >> Eli Zaretskii writes: >>=20 >> > #14 0x1000f2340 in redisplay_internal xdisp.c:16523 >> > #15 0x100108f34 in redisplay xdisp.c:16105 >> > >> > AFAIU, this says that the GC which freed the string data was caused by >> > safe__call1 inside prepare_menu_bars, which was called from >> > redisplay_internal. >>=20 >> Ah, okay! Sorry, I didn't remember that redisplay on the stack. Please >> see below. >>=20 >> > Yes, but I have difficulty with the fact that GC was caused by >> > redisplay, and redisplay cannot be invoked while we are in >> > re_match_2_internal, AFAIK. So something else is missing here (or >> > maybe I'm misinterpreting the ASAN report you posted). >>=20 >> The second and third backtrace that ASAN displays (freed by, and >> previously allocated) are not backtraces directly involved in the crash. >> They display some history related to the pointer that causes the crash. > > So you are saying that the backtrace I quoted, which shows that GC > that freed the string was triggered by redisplay, is NOT the GC which > actually freed the particular string involved in the > read-from-freed-heap? That's my working assumption, yes. > If so, where's the backtrace showing the GC > that did free/relocate this particular string? It's not there. > IOW, I think I'm now confused wrt what exactly the ASAN data tells us. > Can you perhaps help me understand that, quoting the relevant > backtraces as you go? That confueses me, too. Everything in the hypothesis seems to work, except that I can't explain how the pointer S.data, to use that term again, can end up pointing into memory that ASAN has page-protected. - S must be live at the beginning of the match, otherwise S.data =3D=3D NULL. - The freeing of the struct sblock during rediplay happens in the same thread as the match where we crash. So it must have happened before the match. So, the question seems to be what scenario would create a live string that points into a freed sdata struct. I'm out of ideas, and close to giving up. Any alternative theories are of course more than welcome. I'm just seeking something that maybe can be falsified.