From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Gerd =?UTF-8?Q?M=C3=B6llmann?= Newsgroups: gmane.emacs.bugs Subject: bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal Date: Sun, 25 Sep 2022 09:06:59 +0200 Message-ID: References: <835yhcom6g.fsf@gnu.org> <831qs0okx4.fsf@gnu.org> <83mtaom0a9.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="27773"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (darwin) Cc: 58042@debbugs.gnu.org To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sun Sep 25 09:08:12 2022 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ocLkK-00070f-Lu for geb-bug-gnu-emacs@m.gmane-mx.org; Sun, 25 Sep 2022 09:08:12 +0200 Original-Received: from localhost ([::1]:36484 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ocLkJ-0002mW-9A for geb-bug-gnu-emacs@m.gmane-mx.org; Sun, 25 Sep 2022 03:08:11 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:45812) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ocLkA-0002mN-2u for bug-gnu-emacs@gnu.org; Sun, 25 Sep 2022 03:08:02 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:46675) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ocLk9-0003M4-R5 for bug-gnu-emacs@gnu.org; Sun, 25 Sep 2022 03:08:01 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ocLk9-0001Qg-Ji for bug-gnu-emacs@gnu.org; Sun, 25 Sep 2022 03:08:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Gerd =?UTF-8?Q?M=C3=B6llmann?= Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 25 Sep 2022 07:08:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 58042 X-GNU-PR-Package: emacs Original-Received: via spool by 58042-submit@debbugs.gnu.org id=B58042.16640896295433 (code B ref 58042); Sun, 25 Sep 2022 07:08:01 +0000 Original-Received: (at 58042) by debbugs.gnu.org; 25 Sep 2022 07:07:09 +0000 Original-Received: from localhost ([127.0.0.1]:45753 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ocLjJ-0001PZ-Gu for submit@debbugs.gnu.org; Sun, 25 Sep 2022 03:07:09 -0400 Original-Received: from mail-ej1-f46.google.com ([209.85.218.46]:47019) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ocLjH-0001PM-D9 for 58042@debbugs.gnu.org; Sun, 25 Sep 2022 03:07:08 -0400 Original-Received: by mail-ej1-f46.google.com with SMTP id bj12so8192360ejb.13 for <58042@debbugs.gnu.org>; Sun, 25 Sep 2022 00:07:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date; bh=KaFaqLz6GbTMPJ2RE05gWfNjtXibriKYP73gAy/hEDs=; b=cc8p3jtoDDGhtJ53Z4BSrPWA54gvKnrqZ8V6jy920LLSesJxvZc7K678rzaus/nE7M CwJeLuk5gi5P3MS7hEYeQHITu+r3a9HZHwG1gf5aCIuWzC7sbZTg9oHpmVWvL3+2fXsi hMPXM+UdbT7URoiU6E0d3SazzVpiVHxO6LTCJdnBhmvoU5bsm93qPuBjSnmldS5jFuWA stKj6BKCYgdx/GJXWINAUr3gr3Ei1oAj1uwMUKdwccRIA4m6KrqRoVBqcWuh9J6RIRst jENFtV+K+uf+2Zm/CN39IstAyeFmlwb2V514KIy5MbXmNNkrDPgof/sRqvqNgpbbHLoB vOyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date; bh=KaFaqLz6GbTMPJ2RE05gWfNjtXibriKYP73gAy/hEDs=; b=yglgEDhTTWiJaBywta0YBnI6ySzpjBOBRFkMUd8jvluy6mRTzKzPB2cGMsXNPMvtEh fwZ4jtLZbN8P/ccud8iYcrlyqjebS27r7G+3S4kye06M6kl98dQ4G+sNFgtjLN4wsORX XAPxiyBxoNMGdCVxGT54xPQdcvQtszmJT1YqqGkodH/toc+QWecDzaiYeMv9W9HLpl/G 2IL8RGN6BWXLuM3sekKPw+8OhhzSYtbuWgpMkK0RZ6bZ411wqAEr6IWhOIJKbq7SBy3c Oktkewa4Gff6wZot7nYRR5wx/ivUemeY3hFFMU8FnujeZ/3/Id/OtLImqYQgeaVFqaY4 Svqw== X-Gm-Message-State: ACrzQf0nkhWf/wZFqAIlFXc2+Z5AgPlPd+LvoL3tNVZQ2XOcJRPs2Jvu FSGNqU8mGk6Iv37DV/o+ywaOlitSOcM= X-Google-Smtp-Source: AMsMyM60ZuCIG+oacEBNEI/zWNJXlHbgJDSn+BnHjQuocE/7P5mJtMY+T6Kxl2Ol1XWkq6KUBp5Xvw== X-Received: by 2002:a17:907:6285:b0:781:ad26:7b53 with SMTP id nd5-20020a170907628500b00781ad267b53mr14134884ejc.273.1664089621054; Sun, 25 Sep 2022 00:07:01 -0700 (PDT) Original-Received: from Mini.fritz.box (pd9e362ca.dip0.t-ipconnect.de. [217.227.98.202]) by smtp.gmail.com with ESMTPSA id p16-20020a1709060e9000b007707ec25071sm6344703ejf.220.2022.09.25.00.06.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 25 Sep 2022 00:07:00 -0700 (PDT) In-Reply-To: <83mtaom0a9.fsf@gnu.org> (Eli Zaretskii's message of "Sun, 25 Sep 2022 09:32:46 +0300") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:243572 Archived-At: Eli Zaretskii writes: > #14 0x1000f2340 in redisplay_internal xdisp.c:16523 > #15 0x100108f34 in redisplay xdisp.c:16105 > > AFAIU, this says that the GC which freed the string data was caused by > safe__call1 inside prepare_menu_bars, which was called from > redisplay_internal. Ah, okay! Sorry, I didn't remember that redisplay on the stack. Please see below. > Yes, but I have difficulty with the fact that GC was caused by > redisplay, and redisplay cannot be invoked while we are in > re_match_2_internal, AFAIK. So something else is missing here (or > maybe I'm misinterpreting the ASAN report you posted). The second and third backtrace that ASAN displays (freed by, and previously allocated) are not backtraces directly involved in the crash. They display some history related to the pointer that causes the crash. When something is allocated or freed, ASAN records callstacks that show from where that happens. Also, in the case pf free, it somehow arranges that accessing that freed memory leads to a signal. I think it uses VM page protection for that.