* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
@ 2022-09-24 13:45 Gerd Möllmann
2022-09-24 14:17 ` Gerd Möllmann
` (2 more replies)
0 siblings, 3 replies; 65+ messages in thread
From: Gerd Möllmann @ 2022-09-24 13:45 UTC (permalink / raw)
To: 58042
In GNU Emacs 29.0.50 (build 1, aarch64-apple-darwin21.6.0, NS
appkit-2113.60 Version 12.6 (Build 21G115)) of 2022-09-21 built on
Mini.fritz.box
Repository revision: 1231a601ebe1fd9fe454c504dbeb9267440242e7
Repository branch: master
Windowing system distributor 'Apple', version 10.3.2113
System Description: macOS 12.6
Configured using:
'configure --cache-file /Users/gerd/tmp/config.cache.master
--with-native-compilation'
Configured features:
ACL DBUS GLIB GNUTLS JSON LCMS2 LIBXML2 MODULES NATIVE_COMP NOTIFY
KQUEUE NS PDUMPER PNG RSVG SQLITE3 THREADS TOOLKIT_SCROLL_BARS XIM ZLIB
I got the following ASAN error today. Unfortunately, I don't have the
slightest idea how to reproduce this.
==79227==ERROR: AddressSanitizer: heap-use-after-free on address 0x00011f81e7d1 at pc 0x0001005825c4 bp 0x00016fdcf370 sp 0x00016fdcf368
READ of size 1 at 0x00011f81e7d1 thread T0
#0 0x1005825c0 in re_match_2_internal regex-emacs.c:4352
#1 0x10057e5cc in rpl_re_search_2 regex-emacs.c:3383
#2 0x10057d1c4 in rpl_re_search regex-emacs.c:3177
#3 0x10056115c in fast_string_match_internal search.c:492
#4 0x1005045c0 in fast_string_match lisp.h:4818
#5 0x100504018 in Ffind_file_name_handler fileio.c:324
#6 0x1006dbe5c in openp lread.c:1911
#7 0x1006d8844 in Fload lread.c:1302
#8 0x1006e1af0 in save_match_data_load lread.c:1630
#9 0x10064f8cc in load_with_autoload_queue eval.c:2269
#10 0x10067d2f8 in Frequire fns.c:3274
previously allocated by thread T0 here:
#0 0x103332ca8 in wrap_malloc+0x94 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3eca8)
#1 0x1005ae8fc in lmalloc alloc.c:1361
#2 0x1005b0188 in lisp_malloc alloc.c:994
#3 0x1005b0a5c in allocate_string_data alloc.c:1889
#4 0x1005b1bd8 in make_clear_multibyte_string alloc.c:2475
#5 0x1005b1670 in make_clear_string alloc.c:2443
#6 0x1005b2714 in make_uninit_string alloc.c:2454
#7 0x100666c14 in concat_to_string fns.c:821
#8 0x100666420 in concat2 fns.c:600
#9 0x1006d7870 in Fget_load_suffixes lread.c:1123
#10 0x1006d86ac in Fload lread.c:1296
#11 0x1006e1af0 in save_match_data_load lread.c:1630
#12 0x10064f8cc in load_with_autoload_queue eval.c:2269
rame #5: 0x00000001005825c4 emacs`re_match_2_internal(bufp=0x000000010111b890, string1=0x0000000000000000, size1=0, string2="/Users/gerd/.config/emacs.d.default/elpa/company-0.9.13/lsp-protocol.el.gz", size2=74, pos=0, regs=0x0000000000000000, stop=74) at regex-emacs.c:4352:18
4349
4350 PREFETCH ();
4351 int len;
-> 4352 int corig = RE_STRING_CHAR_AND_LENGTH (d, len, target_multibyte);
4353 int c = corig;
4354 if (target_multibyte)
4355 {
And to make things worse, I can't get an xbacktrace because the "new"
lldb, which I got with Xcode 14, says it has a bug. Tadah :-/.
(lldb) xbacktrace
PLEASE submit a bug report to https://developer.apple.com/bug-reporting/ and include the crash backtrace.
Stack dump:
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-09-24 13:45 bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal Gerd Möllmann
@ 2022-09-24 14:17 ` Gerd Möllmann
2022-09-24 14:48 ` Gerd Möllmann
2022-09-24 14:56 ` Eli Zaretskii
2022-10-04 14:33 ` Gerd Möllmann
2022-10-06 5:35 ` Gerd Möllmann
2 siblings, 2 replies; 65+ messages in thread
From: Gerd Möllmann @ 2022-09-24 14:17 UTC (permalink / raw)
To: 58042
Gerd Möllmann <gerd.moellmann@gmail.com> writes:
> In GNU Emacs 29.0.50 (build 1, aarch64-apple-darwin21.6.0, NS
> appkit-2113.60 Version 12.6 (Build 21G115)) of 2022-09-21 built on
> Mini.fritz.box
> Repository revision: 1231a601ebe1fd9fe454c504dbeb9267440242e7
> Repository branch: master
> Windowing system distributor 'Apple', version 10.3.2113
> System Description: macOS 12.6
>
> Configured using:
> 'configure --cache-file /Users/gerd/tmp/config.cache.master
> --with-native-compilation'
>
> Configured features:
> ACL DBUS GLIB GNUTLS JSON LCMS2 LIBXML2 MODULES NATIVE_COMP NOTIFY
> KQUEUE NS PDUMPER PNG RSVG SQLITE3 THREADS TOOLKIT_SCROLL_BARS XIM ZLIB
>
> I got the following ASAN error today. Unfortunately, I don't have the
> slightest idea how to reproduce this.
>
> ==79227==ERROR: AddressSanitizer: heap-use-after-free on address 0x00011f81e7d1 at pc 0x0001005825c4 bp 0x00016fdcf370 sp 0x00016fdcf368
> READ of size 1 at 0x00011f81e7d1 thread T0
> #0 0x1005825c0 in re_match_2_internal regex-emacs.c:4352
> #1 0x10057e5cc in rpl_re_search_2 regex-emacs.c:3383
> #2 0x10057d1c4 in rpl_re_search regex-emacs.c:3177
> #3 0x10056115c in fast_string_match_internal search.c:492
> #4 0x1005045c0 in fast_string_match lisp.h:4818
> #5 0x100504018 in Ffind_file_name_handler fileio.c:324
> #6 0x1006dbe5c in openp lread.c:1911
> #7 0x1006d8844 in Fload lread.c:1302
> #8 0x1006e1af0 in save_match_data_load lread.c:1630
> #9 0x10064f8cc in load_with_autoload_queue eval.c:2269
> #10 0x10067d2f8 in Frequire fns.c:3274
Forget to copy the part where it is freed:
freed by thread T0 here:
#0 0x103332de4 in wrap_free+0x98 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3ede4)
#1 0x100985e38 in rpl_free free.c:48
#2 0x1005b71a4 in lisp_free alloc.c:1038
#3 0x1005cbda4 in compact_small_strings alloc.c:2191
#4 0x1005c9f24 in sweep_strings alloc.c:2072
#5 0x1005bd028 in gc_sweep alloc.c:7397
#6 0x1005bb178 in garbage_collect alloc.c:6245
#7 0x1005ba694 in maybe_garbage_collect alloc.c:6090
#8 0x1006505ac in maybe_gc lisp.h:5624
#9 0x100648ffc in Ffuncall eval.c:2972
#10 0x10064bcd0 in internal_condition_case_n eval.c:1555
#11 0x1000cdc8c in safe__call xdisp.c:3026
#12 0x1000cdfc4 in safe__call1 xdisp.c:3062
#13 0x1001d6404 in prepare_menu_bars xdisp.c:13572
#14 0x1000f2340 in redisplay_internal xdisp.c:16523
#15 0x100108f34 in redisplay xdisp.c:16105
#16 0x10088fa84 in -[EmacsView layoutSublayersOfLayer:] nsterm.m:8662
#17 0x1900a9624 in CA::Layer::layout_if_needed(CA::Transaction*)+0x224 (QuartzCore:arm64e+0x20624)
#18 0x1901f661c in CA::Context::commit_transaction(CA::Transaction*, double, double*)+0x1c0 (QuartzCore:arm64e+0x16d61c)
#19 0x19008b4c8 in CA::Transaction::commit()+0x2bc (QuartzCore:arm64e+0x24c8)
#20 0x18bee1698 in __62+[CATransaction(NSCATransaction) NS_setFlushesWithDisplayLink]_block_invoke+0x12c (AppKit:arm64e+0x1ac698)
#21 0x18c646754 in ___NSRunLoopObserverCreateWithHandler_block_invoke+0x3c (AppKit:arm64e+0x911754)
#22 0x1892101a0 in __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__+0x20 (CoreFoundation:arm64e+0x841a0)
#23 0x18920fff0 in __CFRunLoopDoObservers+0x24c (CoreFoundation:arm64e+0x83ff0)
#24 0x18920f524 in __CFRunLoopRun+0x300 (CoreFoundation:arm64e+0x83524)
#25 0x18920ea80 in CFRunLoopRunSpecific+0x254 (CoreFoundation:arm64e+0x82a80)
#26 0x191e4e334 in RunCurrentEventLoopInMode+0x120 (HIToolbox:arm64e+0x32334)
#27 0x191e4dfc0 in ReceiveNextEventCommon+0x140 (HIToolbox:arm64e+0x31fc0)
#28 0x191e4de64 in _BlockUntilNextEventMatchingListInModeWithFilter+0x44 (HIToolbox:arm64e+0x31e64)
#29 0x18bd76518 in _DPSNextEvent+0x358 (AppKit:arm64e+0x41518)
>
> previously allocated by thread T0 here:
> #0 0x103332ca8 in wrap_malloc+0x94 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3eca8)
> #1 0x1005ae8fc in lmalloc alloc.c:1361
> #2 0x1005b0188 in lisp_malloc alloc.c:994
> #3 0x1005b0a5c in allocate_string_data alloc.c:1889
> #4 0x1005b1bd8 in make_clear_multibyte_string alloc.c:2475
> #5 0x1005b1670 in make_clear_string alloc.c:2443
> #6 0x1005b2714 in make_uninit_string alloc.c:2454
> #7 0x100666c14 in concat_to_string fns.c:821
> #8 0x100666420 in concat2 fns.c:600
> #9 0x1006d7870 in Fget_load_suffixes lread.c:1123
> #10 0x1006d86ac in Fload lread.c:1296
> #11 0x1006e1af0 in save_match_data_load lread.c:1630
> #12 0x10064f8cc in load_with_autoload_queue eval.c:2269
>
> rame #5: 0x00000001005825c4 emacs`re_match_2_internal(bufp=0x000000010111b890, string1=0x0000000000000000, size1=0, string2="/Users/gerd/.config/emacs.d.default/elpa/company-0.9.13/lsp-protocol.el.gz", size2=74, pos=0, regs=0x0000000000000000, stop=74) at regex-emacs.c:4352:18
> 4349
> 4350 PREFETCH ();
> 4351 int len;
> -> 4352 int corig = RE_STRING_CHAR_AND_LENGTH (d, len, target_multibyte);
> 4353 int c = corig;
> 4354 if (target_multibyte)
> 4355 {
>
> And to make things worse, I can't get an xbacktrace because the "new"
> lldb, which I got with Xcode 14, says it has a bug. Tadah :-/.
>
> (lldb) xbacktrace
> PLEASE submit a bug report to https://developer.apple.com/bug-reporting/ and include the crash backtrace.
> Stack dump:
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-09-24 14:17 ` Gerd Möllmann
@ 2022-09-24 14:48 ` Gerd Möllmann
2022-09-24 14:56 ` Eli Zaretskii
1 sibling, 0 replies; 65+ messages in thread
From: Gerd Möllmann @ 2022-09-24 14:48 UTC (permalink / raw)
To: 58042
Gerd Möllmann <gerd.moellmann@gmail.com> writes:
> Gerd Möllmann <gerd.moellmann@gmail.com> writes:
>> ==79227==ERROR: AddressSanitizer: heap-use-after-free on address 0x00011f81e7d1 at pc 0x0001005825c4 bp 0x00016fdcf370 sp 0x00016fdcf368
>> READ of size 1 at 0x00011f81e7d1 thread T0
>> #0 0x1005825c0 in re_match_2_internal regex-emacs.c:4352
>> #1 0x10057e5cc in rpl_re_search_2 regex-emacs.c:3383
>> #2 0x10057d1c4 in rpl_re_search regex-emacs.c:3177
>> #3 0x10056115c in fast_string_match_internal search.c:492
>> #4 0x1005045c0 in fast_string_match lisp.h:4818
>> #5 0x100504018 in Ffind_file_name_handler fileio.c:324
>> #6 0x1006dbe5c in openp lread.c:1911
>> #7 0x1006d8844 in Fload lread.c:1302
>> #8 0x1006e1af0 in save_match_data_load lread.c:1630
>> #9 0x10064f8cc in load_with_autoload_queue eval.c:2269
>> #10 0x10067d2f8 in Frequire fns.c:3274
Here's a guess:
Suppose that strings a compacted in a GC happening between
fast_string_match and re_match_2_internal. That GC compacts strings,
moves the data of the string being matched from one block to another,
and the block where the string data used to be is freed.
Then the char* used in the regexp machine point into no-man's-land.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-09-24 14:17 ` Gerd Möllmann
2022-09-24 14:48 ` Gerd Möllmann
@ 2022-09-24 14:56 ` Eli Zaretskii
2022-09-24 15:08 ` Gerd Möllmann
1 sibling, 1 reply; 65+ messages in thread
From: Eli Zaretskii @ 2022-09-24 14:56 UTC (permalink / raw)
To: Gerd Möllmann; +Cc: 58042
> From: Gerd Möllmann <gerd.moellmann@gmail.com>
> Date: Sat, 24 Sep 2022 16:17:20 +0200
>
> Gerd Möllmann <gerd.moellmann@gmail.com> writes:
>
> > ==79227==ERROR: AddressSanitizer: heap-use-after-free on address 0x00011f81e7d1 at pc 0x0001005825c4 bp 0x00016fdcf370 sp 0x00016fdcf368
> > READ of size 1 at 0x00011f81e7d1 thread T0
> > #0 0x1005825c0 in re_match_2_internal regex-emacs.c:4352
> > #1 0x10057e5cc in rpl_re_search_2 regex-emacs.c:3383
> > #2 0x10057d1c4 in rpl_re_search regex-emacs.c:3177
> > #3 0x10056115c in fast_string_match_internal search.c:492
> > #4 0x1005045c0 in fast_string_match lisp.h:4818
> > #5 0x100504018 in Ffind_file_name_handler fileio.c:324
> > #6 0x1006dbe5c in openp lread.c:1911
> > #7 0x1006d8844 in Fload lread.c:1302
> > #8 0x1006e1af0 in save_match_data_load lread.c:1630
> > #9 0x10064f8cc in load_with_autoload_queue eval.c:2269
> > #10 0x10067d2f8 in Frequire fns.c:3274
>
> Forget to copy the part where it is freed:
>
> freed by thread T0 here:
> #0 0x103332de4 in wrap_free+0x98 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3ede4)
> #1 0x100985e38 in rpl_free free.c:48
> #2 0x1005b71a4 in lisp_free alloc.c:1038
> #3 0x1005cbda4 in compact_small_strings alloc.c:2191
> #4 0x1005c9f24 in sweep_strings alloc.c:2072
> #5 0x1005bd028 in gc_sweep alloc.c:7397
> #6 0x1005bb178 in garbage_collect alloc.c:6245
> #7 0x1005ba694 in maybe_garbage_collect alloc.c:6090
> #8 0x1006505ac in maybe_gc lisp.h:5624
> #9 0x100648ffc in Ffuncall eval.c:2972
> #10 0x10064bcd0 in internal_condition_case_n eval.c:1555
> #11 0x1000cdc8c in safe__call xdisp.c:3026
> #12 0x1000cdfc4 in safe__call1 xdisp.c:3062
> #13 0x1001d6404 in prepare_menu_bars xdisp.c:13572
> #14 0x1000f2340 in redisplay_internal xdisp.c:16523
> #15 0x100108f34 in redisplay xdisp.c:16105
> #16 0x10088fa84 in -[EmacsView layoutSublayersOfLayer:] nsterm.m:8662
> #17 0x1900a9624 in CA::Layer::layout_if_needed(CA::Transaction*)+0x224 (QuartzCore:arm64e+0x20624)
> #18 0x1901f661c in CA::Context::commit_transaction(CA::Transaction*, double, double*)+0x1c0 (QuartzCore:arm64e+0x16d61c)
> #19 0x19008b4c8 in CA::Transaction::commit()+0x2bc (QuartzCore:arm64e+0x24c8)
> #20 0x18bee1698 in __62+[CATransaction(NSCATransaction) NS_setFlushesWithDisplayLink]_block_invoke+0x12c (AppKit:arm64e+0x1ac698)
> #21 0x18c646754 in ___NSRunLoopObserverCreateWithHandler_block_invoke+0x3c (AppKit:arm64e+0x911754)
> #22 0x1892101a0 in __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__+0x20 (CoreFoundation:arm64e+0x841a0)
> #23 0x18920fff0 in __CFRunLoopDoObservers+0x24c (CoreFoundation:arm64e+0x83ff0)
> #24 0x18920f524 in __CFRunLoopRun+0x300 (CoreFoundation:arm64e+0x83524)
> #25 0x18920ea80 in CFRunLoopRunSpecific+0x254 (CoreFoundation:arm64e+0x82a80)
> #26 0x191e4e334 in RunCurrentEventLoopInMode+0x120 (HIToolbox:arm64e+0x32334)
> #27 0x191e4dfc0 in ReceiveNextEventCommon+0x140 (HIToolbox:arm64e+0x31fc0)
> #28 0x191e4de64 in _BlockUntilNextEventMatchingListInModeWithFilter+0x44 (HIToolbox:arm64e+0x31e64)
> #29 0x18bd76518 in _DPSNextEvent+0x358 (AppKit:arm64e+0x41518)
So it was freed by GC, which probably relocated string data or
something. But I don't understand the relation between these two
backtraces: was the one that accessed a freed string called by the one
which triggered GC? IOW, what is the relation between the call to
'require', which ended up calling re_match_2_internal, and the call to
prepare_menu_bars, which triggered GC?
re_search gets Lisp strings as its arguments, so unless GC was called
while the regexp search was in progress, I cannot understand how this
could happen.
Is there any way to know which argument of re_match_2_internal was
used to access the free'd heap?
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-09-24 14:56 ` Eli Zaretskii
@ 2022-09-24 15:08 ` Gerd Möllmann
2022-09-24 15:24 ` Eli Zaretskii
0 siblings, 1 reply; 65+ messages in thread
From: Gerd Möllmann @ 2022-09-24 15:08 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: 58042
Eli Zaretskii <eliz@gnu.org> writes:
>> From: Gerd Möllmann <gerd.moellmann@gmail.com>
>> Date: Sat, 24 Sep 2022 16:17:20 +0200
>>
>> Gerd Möllmann <gerd.moellmann@gmail.com> writes:
>>
>> > ==79227==ERROR: AddressSanitizer: heap-use-after-free on address
>> > 0x00011f81e7d1 at pc 0x0001005825c4 bp 0x00016fdcf370 sp
>> > 0x00016fdcf368
>> > READ of size 1 at 0x00011f81e7d1 thread T0
>> > #0 0x1005825c0 in re_match_2_internal regex-emacs.c:4352
>> > #1 0x10057e5cc in rpl_re_search_2 regex-emacs.c:3383
>> > #2 0x10057d1c4 in rpl_re_search regex-emacs.c:3177
>> > #3 0x10056115c in fast_string_match_internal search.c:492
>> > #4 0x1005045c0 in fast_string_match lisp.h:4818
>> > #5 0x100504018 in Ffind_file_name_handler fileio.c:324
>> > #6 0x1006dbe5c in openp lread.c:1911
>> > #7 0x1006d8844 in Fload lread.c:1302
>> > #8 0x1006e1af0 in save_match_data_load lread.c:1630
>> > #9 0x10064f8cc in load_with_autoload_queue eval.c:2269
>> > #10 0x10067d2f8 in Frequire fns.c:3274
>>
>> Forget to copy the part where it is freed:
>>
>> freed by thread T0 here:
>> #0 0x103332de4 in wrap_free+0x98 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3ede4)
>> #1 0x100985e38 in rpl_free free.c:48
>> #2 0x1005b71a4 in lisp_free alloc.c:1038
>> #3 0x1005cbda4 in compact_small_strings alloc.c:2191
>> #4 0x1005c9f24 in sweep_strings alloc.c:2072
>> #5 0x1005bd028 in gc_sweep alloc.c:7397
>> #6 0x1005bb178 in garbage_collect alloc.c:6245
>> #7 0x1005ba694 in maybe_garbage_collect alloc.c:6090
>> #8 0x1006505ac in maybe_gc lisp.h:5624
>> #9 0x100648ffc in Ffuncall eval.c:2972
>> #10 0x10064bcd0 in internal_condition_case_n eval.c:1555
>> #11 0x1000cdc8c in safe__call xdisp.c:3026
>> #12 0x1000cdfc4 in safe__call1 xdisp.c:3062
>> #13 0x1001d6404 in prepare_menu_bars xdisp.c:13572
>> #14 0x1000f2340 in redisplay_internal xdisp.c:16523
>> #15 0x100108f34 in redisplay xdisp.c:16105
>> #16 0x10088fa84 in -[EmacsView layoutSublayersOfLayer:] nsterm.m:8662
>> #17 0x1900a9624 in CA::Layer::layout_if_needed(CA::Transaction*)+0x224 (QuartzCore:arm64e+0x20624)
>> #18 0x1901f661c in
>> CA::Context::commit_transaction(CA::Transaction*, double,
>> double*)+0x1c0 (QuartzCore:arm64e+0x16d61c)
>> #19 0x19008b4c8 in CA::Transaction::commit()+0x2bc (QuartzCore:arm64e+0x24c8)
>> #20 0x18bee1698 in __62+[CATransaction(NSCATransaction)
>> NS_setFlushesWithDisplayLink]_block_invoke+0x12c
>> (AppKit:arm64e+0x1ac698)
>> #21 0x18c646754 in ___NSRunLoopObserverCreateWithHandler_block_invoke+0x3c (AppKit:arm64e+0x911754)
>> #22 0x1892101a0 in
>> __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__+0x20
>> (CoreFoundation:arm64e+0x841a0)
>> #23 0x18920fff0 in __CFRunLoopDoObservers+0x24c (CoreFoundation:arm64e+0x83ff0)
>> #24 0x18920f524 in __CFRunLoopRun+0x300 (CoreFoundation:arm64e+0x83524)
>> #25 0x18920ea80 in CFRunLoopRunSpecific+0x254 (CoreFoundation:arm64e+0x82a80)
>> #26 0x191e4e334 in RunCurrentEventLoopInMode+0x120 (HIToolbox:arm64e+0x32334)
>> #27 0x191e4dfc0 in ReceiveNextEventCommon+0x140 (HIToolbox:arm64e+0x31fc0)
>> #28 0x191e4de64 in _BlockUntilNextEventMatchingListInModeWithFilter+0x44 (HIToolbox:arm64e+0x31e64)
>> #29 0x18bd76518 in _DPSNextEvent+0x358 (AppKit:arm64e+0x41518)
>
> So it was freed by GC, which probably relocated string data or
> something. But I don't understand the relation between these two
> backtraces: was the one that accessed a freed string called by the one
> which triggered GC? IOW, what is the relation between the call to
> 'require', which ended up calling re_match_2_internal, and the call to
> prepare_menu_bars, which triggered GC?
I don't understand that part either.
> re_search gets Lisp strings as its arguments, so unless GC was called
> while the regexp search was in progress, I cannot understand how this
> could happen.
Right, that's what I also think. See also my other mail.
> Is there any way to know which argument of re_match_2_internal was
> used to access the free'd heap?
I can't figure it out from the code, and LLDB got the segmentation
fault, so I can't look. Maybe Stefan can figure that out.
But in general, I think the small string compaction could be a serious
problem here, as soon as a GC happens while the regexp machine holds
pointers.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-09-24 15:08 ` Gerd Möllmann
@ 2022-09-24 15:24 ` Eli Zaretskii
2022-09-25 5:50 ` Gerd Möllmann
0 siblings, 1 reply; 65+ messages in thread
From: Eli Zaretskii @ 2022-09-24 15:24 UTC (permalink / raw)
To: Gerd Möllmann; +Cc: 58042
> From: Gerd Möllmann <gerd.moellmann@gmail.com>
> Cc: 58042@debbugs.gnu.org
> Date: Sat, 24 Sep 2022 17:08:12 +0200
>
> But in general, I think the small string compaction could be a serious
> problem here, as soon as a GC happens while the regexp machine holds
> pointers.
What is the path from regexp match to GC? The GC was triggered by
redisplay, but how did redisplay start while regexp match was in
progress? Do you see any code in regexp that could trigger redisplay?
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-09-24 15:24 ` Eli Zaretskii
@ 2022-09-25 5:50 ` Gerd Möllmann
2022-09-25 6:32 ` Eli Zaretskii
0 siblings, 1 reply; 65+ messages in thread
From: Gerd Möllmann @ 2022-09-25 5:50 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: 58042
Eli Zaretskii <eliz@gnu.org> writes:
>> From: Gerd Möllmann <gerd.moellmann@gmail.com>
>> Cc: 58042@debbugs.gnu.org
>> Date: Sat, 24 Sep 2022 17:08:12 +0200
>>
>> But in general, I think the small string compaction could be a serious
>> problem here, as soon as a GC happens while the regexp machine holds
>> pointers.
>
> What is the path from regexp match to GC?
I think since bug#56108 it's safe to say that a GC can happen while
matching. In that bug, a regexp_cache entry was "freed" by GC.
> The GC was triggered by
> redisplay, but how did redisplay start while regexp match was in
> progress? Do you see any code in regexp that could trigger redisplay?
I'm afraid, I don't follow. Why do you think redisplay comes into play
here?
Anyways, my working hypotheses currently goes like this:
We match using some Lisp string S and get its data pointer, say D.
Since D is not null, S must be a live string.
(Actually I didn't check that this is still the case, but I think I've
been setting s.data to null for free strings right from the start, and I
can't imagine why anyone would change that.)
Between the point we get D, and the point of the crash, a GC happens.
We know in principle that a GC can happen while matching since
bug#56108. I'm taking that as a given. The GC compacts strings and
changes S's data pointer.
After GC, S.data != D.
Now, ASAN knows that a struct sdata was allocated and freed in the past
that contains S.data. Or perhaps better said S.data points into the
part of the the freed struct sdata that ASAN checks.
How can that hapoen?
I have no idea, but that's the scenario I give the most credibility so
far.
WDYT?
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-09-25 5:50 ` Gerd Möllmann
@ 2022-09-25 6:32 ` Eli Zaretskii
2022-09-25 7:06 ` Gerd Möllmann
0 siblings, 1 reply; 65+ messages in thread
From: Eli Zaretskii @ 2022-09-25 6:32 UTC (permalink / raw)
To: Gerd Möllmann; +Cc: 58042
> From: Gerd Möllmann <gerd.moellmann@gmail.com>
> Cc: 58042@debbugs.gnu.org
> Date: Sun, 25 Sep 2022 07:50:17 +0200
>
> > The GC was triggered by
> > redisplay, but how did redisplay start while regexp match was in
> > progress? Do you see any code in regexp that could trigger redisplay?
>
> I'm afraid, I don't follow. Why do you think redisplay comes into play
> here?
Because of this part of your message in
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=58042#8:
freed by thread T0 here:
#0 0x103332de4 in wrap_free+0x98 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3ede4)
#1 0x100985e38 in rpl_free free.c:48
#2 0x1005b71a4 in lisp_free alloc.c:1038
#3 0x1005cbda4 in compact_small_strings alloc.c:2191
#4 0x1005c9f24 in sweep_strings alloc.c:2072
#5 0x1005bd028 in gc_sweep alloc.c:7397
#6 0x1005bb178 in garbage_collect alloc.c:6245
#7 0x1005ba694 in maybe_garbage_collect alloc.c:6090
#8 0x1006505ac in maybe_gc lisp.h:5624
#9 0x100648ffc in Ffuncall eval.c:2972
#10 0x10064bcd0 in internal_condition_case_n eval.c:1555
#11 0x1000cdc8c in safe__call xdisp.c:3026
#12 0x1000cdfc4 in safe__call1 xdisp.c:3062
#13 0x1001d6404 in prepare_menu_bars xdisp.c:13572
#14 0x1000f2340 in redisplay_internal xdisp.c:16523
#15 0x100108f34 in redisplay xdisp.c:16105
AFAIU, this says that the GC which freed the string data was caused by
safe__call1 inside prepare_menu_bars, which was called from
redisplay_internal.
> Anyways, my working hypotheses currently goes like this:
>
> We match using some Lisp string S and get its data pointer, say D.
> Since D is not null, S must be a live string.
>
> (Actually I didn't check that this is still the case, but I think I've
> been setting s.data to null for free strings right from the start, and I
> can't imagine why anyone would change that.)
>
> Between the point we get D, and the point of the crash, a GC happens.
> We know in principle that a GC can happen while matching since
> bug#56108. I'm taking that as a given. The GC compacts strings and
> changes S's data pointer.
>
> After GC, S.data != D.
Yes, but I have difficulty with the fact that GC was caused by
redisplay, and redisplay cannot be invoked while we are in
re_match_2_internal, AFAIK. So something else is missing here (or
maybe I'm misinterpreting the ASAN report you posted).
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-09-25 6:32 ` Eli Zaretskii
@ 2022-09-25 7:06 ` Gerd Möllmann
2022-09-25 8:08 ` Eli Zaretskii
0 siblings, 1 reply; 65+ messages in thread
From: Gerd Möllmann @ 2022-09-25 7:06 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: 58042
Eli Zaretskii <eliz@gnu.org> writes:
> #14 0x1000f2340 in redisplay_internal xdisp.c:16523
> #15 0x100108f34 in redisplay xdisp.c:16105
>
> AFAIU, this says that the GC which freed the string data was caused by
> safe__call1 inside prepare_menu_bars, which was called from
> redisplay_internal.
Ah, okay! Sorry, I didn't remember that redisplay on the stack. Please
see below.
> Yes, but I have difficulty with the fact that GC was caused by
> redisplay, and redisplay cannot be invoked while we are in
> re_match_2_internal, AFAIK. So something else is missing here (or
> maybe I'm misinterpreting the ASAN report you posted).
The second and third backtrace that ASAN displays (freed by, and
previously allocated) are not backtraces directly involved in the crash.
They display some history related to the pointer that causes the crash.
When something is allocated or freed, ASAN records callstacks that show
from where that happens. Also, in the case pf free, it somehow arranges
that accessing that freed memory leads to a signal. I think it uses VM
page protection for that.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-09-25 7:06 ` Gerd Möllmann
@ 2022-09-25 8:08 ` Eli Zaretskii
2022-09-25 8:28 ` Gerd Möllmann
0 siblings, 1 reply; 65+ messages in thread
From: Eli Zaretskii @ 2022-09-25 8:08 UTC (permalink / raw)
To: Gerd Möllmann; +Cc: 58042
> From: Gerd Möllmann <gerd.moellmann@gmail.com>
> Cc: 58042@debbugs.gnu.org
> Date: Sun, 25 Sep 2022 09:06:59 +0200
>
> Eli Zaretskii <eliz@gnu.org> writes:
>
> > #14 0x1000f2340 in redisplay_internal xdisp.c:16523
> > #15 0x100108f34 in redisplay xdisp.c:16105
> >
> > AFAIU, this says that the GC which freed the string data was caused by
> > safe__call1 inside prepare_menu_bars, which was called from
> > redisplay_internal.
>
> Ah, okay! Sorry, I didn't remember that redisplay on the stack. Please
> see below.
>
> > Yes, but I have difficulty with the fact that GC was caused by
> > redisplay, and redisplay cannot be invoked while we are in
> > re_match_2_internal, AFAIK. So something else is missing here (or
> > maybe I'm misinterpreting the ASAN report you posted).
>
> The second and third backtrace that ASAN displays (freed by, and
> previously allocated) are not backtraces directly involved in the crash.
> They display some history related to the pointer that causes the crash.
So you are saying that the backtrace I quoted, which shows that GC
that freed the string was triggered by redisplay, is NOT the GC which
actually freed the particular string involved in the
read-from-freed-heap? If so, where's the backtrace showing the GC
that did free/relocate this particular string?
IOW, I think I'm now confused wrt what exactly the ASAN data tells us.
Can you perhaps help me understand that, quoting the relevant
backtraces as you go?
Thanks.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-09-25 8:08 ` Eli Zaretskii
@ 2022-09-25 8:28 ` Gerd Möllmann
2022-09-25 8:43 ` Eli Zaretskii
0 siblings, 1 reply; 65+ messages in thread
From: Gerd Möllmann @ 2022-09-25 8:28 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: 58042
Eli Zaretskii <eliz@gnu.org> writes:
>> From: Gerd Möllmann <gerd.moellmann@gmail.com>
>> Cc: 58042@debbugs.gnu.org
>> Date: Sun, 25 Sep 2022 09:06:59 +0200
>>
>> Eli Zaretskii <eliz@gnu.org> writes:
>>
>> > #14 0x1000f2340 in redisplay_internal xdisp.c:16523
>> > #15 0x100108f34 in redisplay xdisp.c:16105
>> >
>> > AFAIU, this says that the GC which freed the string data was caused by
>> > safe__call1 inside prepare_menu_bars, which was called from
>> > redisplay_internal.
>>
>> Ah, okay! Sorry, I didn't remember that redisplay on the stack. Please
>> see below.
>>
>> > Yes, but I have difficulty with the fact that GC was caused by
>> > redisplay, and redisplay cannot be invoked while we are in
>> > re_match_2_internal, AFAIK. So something else is missing here (or
>> > maybe I'm misinterpreting the ASAN report you posted).
>>
>> The second and third backtrace that ASAN displays (freed by, and
>> previously allocated) are not backtraces directly involved in the crash.
>> They display some history related to the pointer that causes the crash.
>
> So you are saying that the backtrace I quoted, which shows that GC
> that freed the string was triggered by redisplay, is NOT the GC which
> actually freed the particular string involved in the
> read-from-freed-heap?
That's my working assumption, yes.
> If so, where's the backtrace showing the GC
> that did free/relocate this particular string?
It's not there.
> IOW, I think I'm now confused wrt what exactly the ASAN data tells us.
> Can you perhaps help me understand that, quoting the relevant
> backtraces as you go?
That confueses me, too.
Everything in the hypothesis seems to work, except that I can't explain
how the pointer S.data, to use that term again, can end up pointing into
memory that ASAN has page-protected.
- S must be live at the beginning of the match, otherwise S.data ==
NULL.
- The freeing of the struct sblock during rediplay happens in the same
thread as the match where we crash. So it must have happened before
the match.
So, the question seems to be what scenario would create a live string
that points into a freed sdata struct.
I'm out of ideas, and close to giving up. Any alternative theories are
of course more than welcome. I'm just seeking something that maybe can
be falsified.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-09-25 8:28 ` Gerd Möllmann
@ 2022-09-25 8:43 ` Eli Zaretskii
2022-09-26 5:13 ` Gerd Möllmann
0 siblings, 1 reply; 65+ messages in thread
From: Eli Zaretskii @ 2022-09-25 8:43 UTC (permalink / raw)
To: Gerd Möllmann; +Cc: 58042
> From: Gerd Möllmann <gerd.moellmann@gmail.com>
> Cc: 58042@debbugs.gnu.org
> Date: Sun, 25 Sep 2022 10:28:48 +0200
>
> So, the question seems to be what scenario would create a live string
> that points into a freed sdata struct.
That sounds highly improbable to me. But stranger things have
happened...
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-09-25 8:43 ` Eli Zaretskii
@ 2022-09-26 5:13 ` Gerd Möllmann
0 siblings, 0 replies; 65+ messages in thread
From: Gerd Möllmann @ 2022-09-26 5:13 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: 58042
Eli Zaretskii <eliz@gnu.org> writes:
>> From: Gerd Möllmann <gerd.moellmann@gmail.com>
>> Cc: 58042@debbugs.gnu.org
>> Date: Sun, 25 Sep 2022 10:28:48 +0200
>>
>> So, the question seems to be what scenario would create a live string
>> that points into a freed sdata struct.
>
> That sounds highly improbable to me. But stranger things have
> happened...
Yeah :-/.
In the meantime, and in an attempt to get some more information, I've
made me a script that starts Emacs in LLDB, with my init file, and exits
Emacs after a delay, and then does things in LLDB depending on what
happened.
I left that script running over night, and the result wasn't very
helpful. After almost 2 hours of running, I got an ASAN error in
copyRect:(NSRect)srcRect to:(NSPoint)dest, nsterm.m. And LLDB crashed
again.
This is with HEAD 568920a5b703e80c43e1b6f31778ea5776218a1e.
I meanwhile wonder what that all means. An "invalid display" that isn't
reproducible, a crash in regexp, a crash in copyRect, and then the
crashes in LLDB itself.
I think I'll let that sit for a bit.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-09-24 13:45 bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal Gerd Möllmann
2022-09-24 14:17 ` Gerd Möllmann
@ 2022-10-04 14:33 ` Gerd Möllmann
2022-10-04 16:35 ` Eli Zaretskii
2022-10-06 5:35 ` Gerd Möllmann
2 siblings, 1 reply; 65+ messages in thread
From: Gerd Möllmann @ 2022-10-04 14:33 UTC (permalink / raw)
To: 58042
Gerd Möllmann <gerd.moellmann@gmail.com> writes:
Happened again today when starting Emacs with my init filem and I can't
make sense of it. And, of course,LLDB finally crashed :-(.
(lldb) PLEASE submit a bug report to https://developer.apple.com/bug-reporting/ and include the crash backtrace.
Stack dump without symbol names (ensure you have llvm-symbolizer in your PATH or set the environment var `LLVM_SYMBOLIZER_PATH` to point to it):
0 lldb 0x00000001041e55dc llvm::sys::PrintStackTrace(llvm::raw_ostream&,
This is c3eb6c0563cc95b2134af9fe0ee6f304ddbb0480, which is from the
noverlay branch.
==15586==ERROR: AddressSanitizer: heap-use-after-free on address 0x00011f90d0a1 at pc 0x000100582044 bp 0x00016fdc8290 sp 0x00016fdc8288
READ of size 1 at 0x00011f90d0a1 thread T0
#0 0x100582040 in re_match_2_internal regex-emacs.c:4328
#1 0x10057e2a4 in rpl_re_search_2 regex-emacs.c:3383
#2 0x10057ce9c in rpl_re_search regex-emacs.c:3177
#3 0x100560e34 in fast_string_match_internal search.c:492
#4 0x100504298 in fast_string_match lisp.h:4816
#5 0x100503cf0 in Ffind_file_name_handler fileio.c:324
#6 0x1006dbb34 in openp lread.c:1911
#7 0x1006d851c in Fload lread.c:1302
#8 0x1006e17c8 in save_match_data_load lread.c:1630
#9 0x10064f5a4 in load_with_autoload_queue eval.c:2269
#10 0x10067cfd0 in Frequire fns.c:3274
#11 0x100654630 in funcall_subr eval.c:3019
#12 0x10072e674 in exec_byte_code bytecode.c:809
#13 0x10072c238 in Fbyte_code bytecode.c:329
#14 0x100641c48 in eval_sub eval.c:2486
#15 0x1006e118c in readevalloop lread.c:2339
#16 0x1006d9d80 in Fload lread.c:1581
#17 0x1006e17c8 in save_match_data_load lread.c:1630
#18 0x10064f5a4 in load_with_autoload_queue eval.c:2269
#19 0x10067cfd0 in Frequire fns.c:3274
#20 0x100641c48 in eval_sub eval.c:2486
#21 0x1006f5a04 in readevalloop_eager_expand_eval lread.c:2154
#22 0x1006e117c in readevalloop lread.c:2337
#23 0x1006e29dc in Feval_buffer lread.c:2410
#24 0x100654900 in funcall_subr eval.c:3023
#25 0x10072e674 in exec_byte_code bytecode.c:809
#26 0x10065cd48 in fetch_and_exec_byte_code eval.c:3064
#27 0x100655570 in funcall_lambda eval.c:3136
#28 0x100653d48 in funcall_general eval.c:2927
#29 0x100648db4 in Ffuncall eval.c:2977
#30 0x1006de658 in call4 lisp.h:3317
#31 0x1006d96d0 in Fload lread.c:1477
#32 0x1006e17c8 in save_match_data_load lread.c:1630
#33 0x10064f5a4 in load_with_autoload_queue eval.c:2269
#34 0x10067cfd0 in Frequire fns.c:3274
#35 0x100641c48 in eval_sub eval.c:2486
#36 0x1006f5a04 in readevalloop_eager_expand_eval lread.c:2154
#37 0x1006e117c in readevalloop lread.c:2337
#38 0x1006e29dc in Feval_buffer lread.c:2410
#39 0x100654900 in funcall_subr eval.c:3023
#40 0x10072e674 in exec_byte_code bytecode.c:809
#41 0x10065cd48 in fetch_and_exec_byte_code eval.c:3064
#42 0x100655570 in funcall_lambda eval.c:3136
#43 0x100653d48 in funcall_general eval.c:2927
#44 0x100648db4 in Ffuncall eval.c:2977
#45 0x1006de658 in call4 lisp.h:3317
#46 0x1006d96d0 in Fload lread.c:1477
#47 0x1006e17c8 in save_match_data_load lread.c:1630
#48 0x10064f5a4 in load_with_autoload_queue eval.c:2269
#49 0x10067cfd0 in Frequire fns.c:3274
#50 0x100641c48 in eval_sub eval.c:2486
#51 0x1006f5a04 in readevalloop_eager_expand_eval lread.c:2154
#52 0x1006e117c in readevalloop lread.c:2337
#53 0x1006e29dc in Feval_buffer lread.c:2410
#54 0x100654900 in funcall_subr eval.c:3023
#55 0x10072e674 in exec_byte_code bytecode.c:809
#56 0x10065cd48 in fetch_and_exec_byte_code eval.c:3064
#57 0x100655570 in funcall_lambda eval.c:3136
#58 0x100653d48 in funcall_general eval.c:2927
#59 0x100648db4 in Ffuncall eval.c:2977
#60 0x1006de658 in call4 lisp.h:3317
#61 0x1006d96d0 in Fload lread.c:1477
#62 0x1006e17c8 in save_match_data_load lread.c:1630
#63 0x10064f5a4 in load_with_autoload_queue eval.c:2269
#64 0x10067cfd0 in Frequire fns.c:3274
#65 0x100641c48 in eval_sub eval.c:2486
#66 0x1006f5a04 in readevalloop_eager_expand_eval lread.c:2154
#67 0x1006e117c in readevalloop lread.c:2337
#68 0x1006e29dc in Feval_buffer lread.c:2410
#69 0x100654900 in funcall_subr eval.c:3023
#70 0x10072e674 in exec_byte_code bytecode.c:809
#71 0x10065cd48 in fetch_and_exec_byte_code eval.c:3064
#72 0x100655570 in funcall_lambda eval.c:3136
#73 0x100653d48 in funcall_general eval.c:2927
#74 0x100648db4 in Ffuncall eval.c:2977
#75 0x1006de658 in call4 lisp.h:3317
#76 0x1006d96d0 in Fload lread.c:1477
#77 0x100641ed0 in eval_sub eval.c:2494
#78 0x100643134 in Fprogn eval.c:436
#79 0x100647a78 in Flet eval.c:1023
#80 0x1006411c8 in eval_sub eval.c:2433
#81 0x100643134 in Fprogn eval.c:436
#82 0x100655a94 in funcall_lambda eval.c:3216
#83 0x100651410 in apply_lambda eval.c:3086
#84 0x100642a50 in eval_sub eval.c:2570
#85 0x1006f5a04 in readevalloop_eager_expand_eval lread.c:2154
#86 0x1006e117c in readevalloop lread.c:2337
#87 0x1006e29dc in Feval_buffer lread.c:2410
#88 0x100654900 in funcall_subr eval.c:3023
#89 0x10072e674 in exec_byte_code bytecode.c:809
#90 0x10065cd48 in fetch_and_exec_byte_code eval.c:3064
#91 0x100655570 in funcall_lambda eval.c:3136
#92 0x100653d48 in funcall_general eval.c:2927
#93 0x100648db4 in Ffuncall eval.c:2977
#94 0x1006de658 in call4 lisp.h:3317
#95 0x1006d96d0 in Fload lread.c:1477
#96 0x100654900 in funcall_subr eval.c:3023
#97 0x10072e674 in exec_byte_code bytecode.c:809
#98 0x10065cd48 in fetch_and_exec_byte_code eval.c:3064
#99 0x100655570 in funcall_lambda eval.c:3136
#100 0x100651410 in apply_lambda eval.c:3086
#101 0x10064251c in eval_sub eval.c:2527
#102 0x10064fb8c in Feval eval.c:2343
#103 0x1004524b0 in top_level_2 keyboard.c:1141
#104 0x10064b100 in internal_condition_case eval.c:1471
#105 0x1004523c4 in top_level_1 keyboard.c:1149
#106 0x10064988c in internal_catch eval.c:1194
#107 0x100417d64 in command_loop keyboard.c:1109
#108 0x1004177f4 in recursive_edit_1 keyboard.c:719
#109 0x1004187b0 in Frecursive_edit keyboard.c:802
#110 0x100410988 in main emacs.c:2521
#111 0x101545088 in start+0x204 (dyld:arm64e+0x5088)
0x00011f90d0a1 is located 1953 bytes inside of 8184-byte region [0x00011f90c900,0x00011f90e8f8)
freed by thread T0 here:
#0 0x103332de4 in wrap_free+0x98 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3ede4)
#1 0x100985df8 in rpl_free free.c:48
#2 0x1005b6e7c in lisp_free alloc.c:1038
#3 0x1005cba7c in compact_small_strings alloc.c:2191
#4 0x1005c9bfc in sweep_strings alloc.c:2072
#5 0x1005bcd00 in gc_sweep alloc.c:7397
#6 0x1005bae50 in garbage_collect alloc.c:6245
#7 0x1005ba36c in maybe_garbage_collect alloc.c:6090
#8 0x100650284 in maybe_gc lisp.h:5622
#9 0x100648cd4 in Ffuncall eval.c:2972
#10 0x10064b9a8 in internal_condition_case_n eval.c:1555
#11 0x1000cd964 in safe__call xdisp.c:3026
#12 0x1000cdc9c in safe__call1 xdisp.c:3062
#13 0x1001d60dc in prepare_menu_bars xdisp.c:13572
#14 0x1000f2018 in redisplay_internal xdisp.c:16523
#15 0x100108c0c in redisplay xdisp.c:16105
#16 0x10088fa44 in -[EmacsView layoutSublayersOfLayer:] nsterm.m:8662
#17 0x1900a9624 in CA::Layer::layout_if_needed(CA::Transaction*)+0x224 (QuartzCore:arm64e+0x20624)
#18 0x1901f661c in CA::Context::commit_transaction(CA::Transaction*, double, double*)+0x1c0 (QuartzCore:arm64e+0x16d61c)
#19 0x19008b4c8 in CA::Transaction::commit()+0x2bc (QuartzCore:arm64e+0x24c8)
#20 0x18bee1698 in __62+[CATransaction(NSCATransaction) NS_setFlushesWithDisplayLink]_block_invoke+0x12c (AppKit:arm64e+0x1ac698)
#21 0x18c646754 in ___NSRunLoopObserverCreateWithHandler_block_invoke+0x3c (AppKit:arm64e+0x911754)
#22 0x1892101a0 in __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__+0x20 (CoreFoundation:arm64e+0x841a0)
#23 0x18920fff0 in __CFRunLoopDoObservers+0x24c (CoreFoundation:arm64e+0x83ff0)
#24 0x18920f524 in __CFRunLoopRun+0x300 (CoreFoundation:arm64e+0x83524)
#25 0x18920ea80 in CFRunLoopRunSpecific+0x254 (CoreFoundation:arm64e+0x82a80)
#26 0x191e4e334 in RunCurrentEventLoopInMode+0x120 (HIToolbox:arm64e+0x32334)
#27 0x191e4dfc0 in ReceiveNextEventCommon+0x140 (HIToolbox:arm64e+0x31fc0)
#28 0x191e4de64 in _BlockUntilNextEventMatchingListInModeWithFilter+0x44 (HIToolbox:arm64e+0x31e64)
#29 0x18bd76518 in _DPSNextEvent+0x358 (AppKit:arm64e+0x41518)
previously allocated by thread T0 here:
#0 0x103332ca8 in wrap_malloc+0x94 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3eca8)
#1 0x1005ae5d4 in lmalloc alloc.c:1361
#2 0x1005afe60 in lisp_malloc alloc.c:994
#3 0x1005b0734 in allocate_string_data alloc.c:1889
#4 0x1005b18b0 in make_clear_multibyte_string alloc.c:2475
#5 0x1005b1348 in make_clear_string alloc.c:2443
#6 0x1005b23ec in make_uninit_string alloc.c:2454
#7 0x1005b2358 in make_unibyte_string alloc.c:2369
#8 0x1006dba68 in openp lread.c:1908
#9 0x1006d851c in Fload lread.c:1302
#10 0x1006e17c8 in save_match_data_load lread.c:1630
#11 0x10064f5a4 in load_with_autoload_queue eval.c:2269
#12 0x10067cfd0 in Frequire fns.c:3274
#13 0x100654630 in funcall_subr eval.c:3019
#14 0x10072e674 in exec_byte_code bytecode.c:809
#15 0x10072c238 in Fbyte_code bytecode.c:329
#16 0x100641c48 in eval_sub eval.c:2486
#17 0x1006e118c in readevalloop lread.c:2339
#18 0x1006d9d80 in Fload lread.c:1581
#19 0x1006e17c8 in save_match_data_load lread.c:1630
#20 0x10064f5a4 in load_with_autoload_queue eval.c:2269
#21 0x10067cfd0 in Frequire fns.c:3274
#22 0x100641c48 in eval_sub eval.c:2486
#23 0x1006f5a04 in readevalloop_eager_expand_eval lread.c:2154
#24 0x1006e117c in readevalloop lread.c:2337
#25 0x1006e29dc in Feval_buffer lread.c:2410
#26 0x100654900 in funcall_subr eval.c:3023
#27 0x10072e674 in exec_byte_code bytecode.c:809
#28 0x10065cd48 in fetch_and_exec_byte_code eval.c:3064
#29 0x100655570 in funcall_lambda eval.c:3136
SUMMARY: AddressSanitizer: heap-use-after-free regex-emacs.c:4328 in re_match_2_internal
Shadow bytes around the buggy address:
0x007023f419c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x007023f419d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x007023f419e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x007023f419f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x007023f41a00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x007023f41a10: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
0x007023f41a20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x007023f41a30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x007023f41a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x007023f41a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x007023f41a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==15586==ABORTING
(lldb) AddressSanitizer report breakpoint hit. Use 'thread info -s' to get extended information about the report.
(lldb) xbacktrace
(unsigned char *) data = 0x0000000100a205e0 "require"
(unsigned char *) data = 0x0000000100a25940 "byte-code"
(unsigned char *) data = 0x0000000100a205e0 "require"
(unsigned char *) data = 0x0000000100a24000 "eval-buffer"
(unsigned char *) data = 0x0000000107e7d013 "load-with-code-conversion"
(unsigned char *) data = 0x0000000100a205e0 "require"
(unsigned char *) data = 0x0000000100a24000 "eval-buffer"
(unsigned char *) data = 0x0000000107e7d013 "load-with-code-conversion"
(unsigned char *) data = 0x0000000100a205e0 "require"
(unsigned char *) data = 0x0000000100a24000 "eval-buffer"
(unsigned char *) data = 0x0000000107e7d013 "load-with-code-conversion"
(unsigned char *) data = 0x0000000100a205e0 "require"
(unsigned char *) data = 0x0000000100a24000 "eval-buffer"
(unsigned char *) data = 0x0000000107e7d013 "load-with-code-conversion"
(unsigned char *) data = 0x0000000100a1dac0 "load"
(unsigned char *) data = 0x0000000100a1d760 "let"
(unsigned char *) data = 0x0000000105c184b0 "chemacs-load-user-init"
(unsigned char *) data = 0x0000000100a24000 "eval-buffer"
(unsigned char *) data = 0x0000000107e7d013 "load-with-code-conversion"
(unsigned char *) data = 0x0000000100a1dac0 "load"
(unsigned char *) data = 0x0000000107e7ee82 "startup--load-user-init-file"
(unsigned char *) data = 0x0000000107e7f852 "command-line"
(unsigned char *) data = 0x0000000107e80b37 "normal-top-level"
frame #5: 0x0000000100582044 emacs`re_match_2_internal(bufp=0x000000010111ace8, string1=0x0000000000000000, size1=0, string2="/Users/gerd/.config/emacs.d.default/elpa/magit-section-20220901.331/puny.dylib", size2=78, pos=0, regs=0x0000000000000000, stop=78) at regex-emacs.c:4328:15
4325 DEBUG_PRINT ("EXECUTING anychar.\n");
4326
4327 PREFETCH ();
-> 4328 buf_ch = RE_STRING_CHAR_AND_LENGTH (d, buf_charlen,
4329 target_multibyte);
4330 buf_ch = TRANSLATE (buf_ch);
4331 if (buf_ch == '\n')
(lldb)
frame #6: 0x000000010057e2a8 emacs`rpl_re_search_2(bufp=0x000000010111ace8, str1=0x0000000000000000, size1=0, str2="/Users/gerd/.config/emacs.d.default/elpa/magit-section-20220901.331/puny.dylib", size2=78, startpos=0, range=0, regs=0x0000000000000000, stop=78) at regex-emacs.c:3383:13
3380 && !bufp->can_be_null)
3381 return -1;
3382
-> 3383 val = re_match_2_internal (bufp, string1, size1, string2, size2,
3384 startpos, regs, stop);
3385
3386 if (val >= 0)
(lldb) down
frame #5: 0x0000000100582044 emacs`re_match_2_internal(bufp=0x000000010111ace8, string1=0x0000000000000000, size1=0, string2="/Users/gerd/.config/emacs.d.default/elpa/magit-section-20220901.331/puny.dylib", size2=78, pos=0, regs=0x0000000000000000, stop=78) at regex-emacs.c:4328:15
4325 DEBUG_PRINT ("EXECUTING anychar.\n");
4326
4327 PREFETCH ();
-> 4328 buf_ch = RE_STRING_CHAR_AND_LENGTH (d, buf_charlen,
4329 target_multibyte);
4330 buf_ch = TRANSLATE (buf_ch);
4331 if (buf_ch == '\n')
(lldb) p d
(re_char *) $285 = 0x000000011f90d0a1 "magit-section-20220901.331/puny.dylib"
frame #10: 0x0000000100503cf4 emacs`Ffind_file_name_handler(filename=(struct Lisp_String *) $318 = 0x000000011f6ec4c0, operation=(struct Lisp_Symbol *) $321 = 0x00000001010ec310) at fileio.c:324:24
321 operations = Fget (handler, Qoperations);
322
323 if (STRINGP (string)
-> 324 && (match_pos = fast_string_match (string, filename)) > pos
325 && (NILP (operations) || ! NILP (Fmemq (operation, operations))))
326 {
327 Lisp_Object tem;
(lldb) p filename
(Lisp_Object) $322 = 0x000000011f6ec4c4 (struct Lisp_String *) $324 = 0x000000011f6ec4c0
(lldb) p *$324
(struct Lisp_String) $325 = {
u = {
s = {
size = 78
size_byte = -1
intervals = NULL
data = 0x000000011f5d2f38 "/Users/gerd/.config/emacs.d.default/elpa/magit-section-20220901.331/puny.dylib"
}
next = 0x000000000000004e
gcaligned = 'N'
}
}
(lldb) p string
(Lisp_Object) $326 = 0x000000011ce990c4 (struct Lisp_String *) $328 = 0x000000011ce990c0
(lldb) p *$328
(struct Lisp_String) $329 = {
u = {
s = {
size = 313
size_byte = -1
intervals = NULL
data = 0x000000011cdce9f0 "\\`\\(.+\\.\\(?:7z\\|CAB\\|LZH\\|MSU\\|ZIP\\|a\\(?:pk\\|r\\)\\|c\\(?:ab\\|pio\\|rate\\)\\|de\\(?:b\\|pot\\)\\|e\\(?:pub\\|xe\\)\\|iso\\|jar\\|lzh\\|m\\(?:su\\|tree\\)\\|od[bfgpst]\\|pax\\|r\\(?:ar\\|pm\\)\\|shar\\|t\\(?:ar\\|bz\\|gz\\|lz\\|xz\\|zst\\)\\|warc\\|x\\(?:ar\\|p[is]\\)\\|zip\\)\\(?:\\.\\(?:Z\\|bz2\\|gz\\|l\\(?:rz\\|z\\(?:ma\\|[4o]\\)?\\)\\|uu\\|xz\\|zst\\)\\)?\\)\\(/.*\\)\\'"
}
next = 0x0000000000000139
gcaligned = '9'
}
}
frame #8: 0x0000000100560e38 emacs`fast_string_match_internal(regexp=(struct Lisp_String *) $342 = 0x000000011ce990c0, string=(struct Lisp_String *) $344 = 0x000000011f6ec4c0, table=(struct Lisp_Symbol *) $347 = 0x00000001010e5860) at search.c:492:19
489 struct regexp_cache *cache_entry
490 = compile_pattern (regexp, 0, table, 0, STRING_MULTIBYTE (string));
491 freeze_pattern (cache_entry);
-> 492 ptrdiff_t val = re_search (&cache_entry->buf, SSDATA (string),
493 SBYTES (string), 0,
494 SBYTES (string), 0);
495 unbind_to (count, Qnil);
(lldb) p cache_entry
(regexp_cache *) $348 = 0x000000010111acc8
(lldb) p *cache_entry
(regexp_cache) $349 = {
next = NULL
regexp = 0x000000011f6dbbc4 (struct Lisp_String *) $351 = 0x000000011f6dbbc0
f_whitespace_regexp = NULL
syntax_table = 0x0000000000000030 (struct Lisp_Symbol *) $354 = 0x00000001010e5890
buf = {
buffer = 0x0000000108991b80 "\v\U00000006\U00000001\U00000003\U0000000e\U00000004"
allocated = 648
used = 555
charset_unibyte = 1
fastmap = 0x000000010111ad28 ""
translate = NULL
re_nsub = 2
can_be_null = true
regs_allocated = 0
fastmap_accurate = true
used_syntax = false
multibyte = false
target_multibyte = false
}
fastmap = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
posix = false
busy = true
}
(lldb) p *$351
(struct Lisp_String) $355 = {
u = {
s = {
size = 313
size_byte = -1
intervals = NULL
data = 0x000000011f5cfd90 "\\`\\(.+\\.\\(?:7z\\|CAB\\|LZH\\|MSU\\|ZIP\\|a\\(?:pk\\|r\\)\\|c\\(?:ab\\|pio\\|rate\\)\\|de\\(?:b\\|pot\\)\\|e\\(?:pub\\|xe\\)\\|iso\\|jar\\|lzh\\|m\\(?:su\\|tree\\)\\|od[bfgpst]\\|pax\\|r\\(?:ar\\|pm\\)\\|shar\\|t\\(?:ar\\|bz\\|gz\\|lz\\|xz\\|zst\\)\\|warc\\|x\\(?:ar\\|p[is]\\)\\|zip\\)\\(?:\\.\\(?:Z\\|bz2\\|gz\\|l\\(?:rz\\|z\\(?:ma\\|[4o]\\)?\\)\\|uu\\|xz\\|zst\\)\\)?\\)\\(/.*\\)\\'"
}
next = 0x0000000000000139
gcaligned = '9'
}
}
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-04 14:33 ` Gerd Möllmann
@ 2022-10-04 16:35 ` Eli Zaretskii
2022-10-05 4:37 ` Gerd Möllmann
0 siblings, 1 reply; 65+ messages in thread
From: Eli Zaretskii @ 2022-10-04 16:35 UTC (permalink / raw)
To: Gerd Möllmann; +Cc: 58042
> From: Gerd Möllmann <gerd.moellmann@gmail.com>
> Date: Tue, 04 Oct 2022 16:33:45 +0200
>
> 0x00011f90d0a1 is located 1953 bytes inside of 8184-byte region [0x00011f90c900,0x00011f90e8f8)
> freed by thread T0 here:
> #0 0x103332de4 in wrap_free+0x98 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3ede4)
> #1 0x100985df8 in rpl_free free.c:48
> #2 0x1005b6e7c in lisp_free alloc.c:1038
> #3 0x1005cba7c in compact_small_strings alloc.c:2191
> #4 0x1005c9bfc in sweep_strings alloc.c:2072
> #5 0x1005bcd00 in gc_sweep alloc.c:7397
> #6 0x1005bae50 in garbage_collect alloc.c:6245
> #7 0x1005ba36c in maybe_garbage_collect alloc.c:6090
> #8 0x100650284 in maybe_gc lisp.h:5622
> #9 0x100648cd4 in Ffuncall eval.c:2972
> #10 0x10064b9a8 in internal_condition_case_n eval.c:1555
> #11 0x1000cd964 in safe__call xdisp.c:3026
> #12 0x1000cdc9c in safe__call1 xdisp.c:3062
> #13 0x1001d60dc in prepare_menu_bars xdisp.c:13572
> #14 0x1000f2018 in redisplay_internal xdisp.c:16523
> #15 0x100108c0c in redisplay xdisp.c:16105
> #16 0x10088fa44 in -[EmacsView layoutSublayersOfLayer:] nsterm.m:8662
> #17 0x1900a9624 in CA::Layer::layout_if_needed(CA::Transaction*)+0x224 (QuartzCore:arm64e+0x20624)
> #18 0x1901f661c in CA::Context::commit_transaction(CA::Transaction*, double, double*)+0x1c0 (QuartzCore:arm64e+0x16d61c)
> #19 0x19008b4c8 in CA::Transaction::commit()+0x2bc (QuartzCore:arm64e+0x24c8)
> #20 0x18bee1698 in __62+[CATransaction(NSCATransaction) NS_setFlushesWithDisplayLink]_block_invoke+0x12c (AppKit:arm64e+0x1ac698)
> #21 0x18c646754 in ___NSRunLoopObserverCreateWithHandler_block_invoke+0x3c (AppKit:arm64e+0x911754)
> #22 0x1892101a0 in __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__+0x20 (CoreFoundation:arm64e+0x841a0)
> #23 0x18920fff0 in __CFRunLoopDoObservers+0x24c (CoreFoundation:arm64e+0x83ff0)
> #24 0x18920f524 in __CFRunLoopRun+0x300 (CoreFoundation:arm64e+0x83524)
> #25 0x18920ea80 in CFRunLoopRunSpecific+0x254 (CoreFoundation:arm64e+0x82a80)
> #26 0x191e4e334 in RunCurrentEventLoopInMode+0x120 (HIToolbox:arm64e+0x32334)
> #27 0x191e4dfc0 in ReceiveNextEventCommon+0x140 (HIToolbox:arm64e+0x31fc0)
> #28 0x191e4de64 in _BlockUntilNextEventMatchingListInModeWithFilter+0x44 (HIToolbox:arm64e+0x31e64)
> #29 0x18bd76518 in _DPSNextEvent+0x358 (AppKit:arm64e+0x41518)
Any idea how is the above related to the other two backtraces? Why
don't I see 'main' at the top of the backtrace here? Can the
sanitizer be asked to produce more than 30 backtrace frames?
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-04 16:35 ` Eli Zaretskii
@ 2022-10-05 4:37 ` Gerd Möllmann
2022-10-05 6:16 ` Eli Zaretskii
0 siblings, 1 reply; 65+ messages in thread
From: Gerd Möllmann @ 2022-10-05 4:37 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: 58042
Eli Zaretskii <eliz@gnu.org> writes:
>> From: Gerd Möllmann <gerd.moellmann@gmail.com>
>> Date: Tue, 04 Oct 2022 16:33:45 +0200
>>
>> 0x00011f90d0a1 is located 1953 bytes inside of 8184-byte region [0x00011f90c900,0x00011f90e8f8)
>> freed by thread T0 here:
>> #0 0x103332de4 in wrap_free+0x98 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3ede4)
>> #1 0x100985df8 in rpl_free free.c:48
>> #2 0x1005b6e7c in lisp_free alloc.c:1038
>
> Any idea how is the above related to the other two backtraces? Why
> don't I see 'main' at the top of the backtrace here? Can the
> sanitizer be asked to produce more than 30 backtrace frames?
The three backtraces are printed by the ASAN lib, with or without LLDB.
From top to bottom we're going into the past
1. Present = Where the problem was found with the pointer
2. Past = where the memory block was freed that the pointer is in.
3. Pre-Past = where block was allocated that is freed in (2)
I don't know why the ASAN output in (1) stops after 30 frames. And I
don't know if the 30 can be changed. But 30 for (2) and (3) seems
reasonable to me. After all, this means 2 * 30 pointers most be
recorded per allocated memory block, and that's a quite noticeable
overhead, performance-wise. 30 looks like a heuristic. More make
programs slower, less is less helpful.
When running under LLDB, we stop at (1), and can see the full callstack,
if we want, starting in the ASAN lib where it signals SIGABRT, and going
up to main etc.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 4:37 ` Gerd Möllmann
@ 2022-10-05 6:16 ` Eli Zaretskii
2022-10-05 6:58 ` Gerd Möllmann
0 siblings, 1 reply; 65+ messages in thread
From: Eli Zaretskii @ 2022-10-05 6:16 UTC (permalink / raw)
To: Gerd Möllmann; +Cc: 58042
> From: Gerd Möllmann <gerd.moellmann@gmail.com>
> Cc: 58042@debbugs.gnu.org
> Date: Wed, 05 Oct 2022 06:37:58 +0200
>
> >From top to bottom we're going into the past
>
> 1. Present = Where the problem was found with the pointer
> 2. Past = where the memory block was freed that the pointer is in.
> 3. Pre-Past = where block was allocated that is freed in (2)
>
> I don't know why the ASAN output in (1) stops after 30 frames. And I
> don't know if the 30 can be changed. But 30 for (2) and (3) seems
> reasonable to me. After all, this means 2 * 30 pointers most be
> recorded per allocated memory block, and that's a quite noticeable
> overhead, performance-wise. 30 looks like a heuristic. More make
> programs slower, less is less helpful.
>
> When running under LLDB, we stop at (1), and can see the full callstack,
> if we want, starting in the ASAN lib where it signals SIGABRT, and going
> up to main etc.
Then I guess we will have to wait until LLDB folks get their act
together and fix LLDB to not crash before it provides the information
to us? Or is it possible for you to downgrade to the previous,
working version of LLDB?
The question that we should try answering is this: what variable holds
the C pointer to the data of a Lisp string that is being relocated
and/or compacted by GC between the time the C pointer is assigned and
the time its value is dereferenced? And I don't see how to answer
that question without understanding how redisplay was called in the
middle of what seems to be loading of a Lisp package, because none of
the items 1 and 3 show anything that could call redisplay.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 6:16 ` Eli Zaretskii
@ 2022-10-05 6:58 ` Gerd Möllmann
2022-10-05 7:22 ` Eli Zaretskii
0 siblings, 1 reply; 65+ messages in thread
From: Gerd Möllmann @ 2022-10-05 6:58 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: 58042
Eli Zaretskii <eliz@gnu.org> writes:
> Then I guess we will have to wait until LLDB folks get their act
> together and fix LLDB to not crash before it provides the information
> to us? Or is it possible for you to downgrade to the previous,
> working version of LLDB?
I'd rather not. If it's possible at all, I don't know, it's certainly a
lot of work.
BTW, I've submitted a bug report, as LLDB requested, because of the
uppercase PLEASE :). Let's see if that lands anywhere. I don't have
high hopes.
> The question that we should try answering is this: what variable holds
> the C pointer to the data of a Lisp string that is being relocated
> and/or compacted by GC between the time the C pointer is assigned and
> the time its value is dereferenced?
I think we can answer that question, at least with a good probability.
If you look what the offending (I think) pointer points to:
frame #5: 0x0000000100582044 emacs`re_match_2_internal(bufp=0x000000010111ace8, string1=0x0000000000000000, size1=0, string2="/Users/gerd/.config/emacs.d.default/elpa/magit-section-20220901.331/puny.dylib", size2=78, pos=0, regs=0x0000000000000000, stop=78) at regex-emacs.c:4328:15
4325 DEBUG_PRINT ("EXECUTING anychar.\n");
4326
4327 PREFETCH ();
-> 4328 buf_ch = RE_STRING_CHAR_AND_LENGTH (d, buf_charlen,
4329 target_multibyte);
4330 buf_ch = TRANSLATE (buf_ch);
4331 if (buf_ch == '\n')
(lldb) p d
(re_char *) $285 = 0x000000011f90d0a1 "magit-section-20220901.331/puny.dylib"
That looks like part of the filename here:
frame #10: 0x0000000100503cf4 emacs`Ffind_file_name_handler(filename=(struct Lisp_String *) $318 = 0x000000011f6ec4c0, operation=(struct Lisp_Symbol *) $321 = 0x00000001010ec310) at fileio.c:324:24
321 operations = Fget (handler, Qoperations);
322
323 if (STRINGP (string)
-> 324 && (match_pos = fast_string_match (string, filename)) > pos
325 && (NILP (operations) || ! NILP (Fmemq (operation, operations))))
326 {
327 Lisp_Object tem;
(lldb) p filename
(Lisp_Object) $322 = 0x000000011f6ec4c4 (struct Lisp_String *) $324 = 0x000000011f6ec4c0
(lldb) p *$324
(struct Lisp_String) $325 = {
u = {
s = {
size = 78
size_byte = -1
intervals = NULL
data = 0x000000011f5d2f38 "/Users/gerd/.config/emacs.d.default/elpa/magit-section-20220901.331/puny.dylib"
}
next = 0x000000000000004e
gcaligned = 'N'
}
}
So, I'd say that the filename string data has been moved somewhere else
during compaction. Which would mean GC somehow ran between the point
where "d" in frame#5 was initially set up from the filename, and line
4328 where the problem is detected.
> I don't see how to answer
> that question without understanding how redisplay was called in the
> middle of what seems to be loading of a Lisp package, because none of
> the items 1 and 3 show anything that could call redisplay.
What I can see is that, apparently, redisplay got called because Emacs
received a MacOS event, and did a prepare_menu_bars etc etc.
How that's possible, if it is, while Emacs is in between frame#10 and
frame#5 I have not the slightest idea. And please note that this is all
happening in the same thread T0, according to ASAN.
Maybe someone knowing the Mac port has an idea if this can happen?
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 6:58 ` Gerd Möllmann
@ 2022-10-05 7:22 ` Eli Zaretskii
2022-10-05 7:34 ` Gerd Möllmann
0 siblings, 1 reply; 65+ messages in thread
From: Eli Zaretskii @ 2022-10-05 7:22 UTC (permalink / raw)
To: Gerd Möllmann; +Cc: 58042
> From: Gerd Möllmann <gerd.moellmann@gmail.com>
> Cc: 58042@debbugs.gnu.org
> Date: Wed, 05 Oct 2022 08:58:51 +0200
>
> Eli Zaretskii <eliz@gnu.org> writes:
>
> > The question that we should try answering is this: what variable holds
> > the C pointer to the data of a Lisp string that is being relocated
> > and/or compacted by GC between the time the C pointer is assigned and
> > the time its value is dereferenced?
>
> I think we can answer that question, at least with a good probability.
> If you look what the offending (I think) pointer points to:
>
> frame #5: 0x0000000100582044 emacs`re_match_2_internal(bufp=0x000000010111ace8, string1=0x0000000000000000, size1=0, string2="/Users/gerd/.config/emacs.d.default/elpa/magit-section-20220901.331/puny.dylib", size2=78, pos=0, regs=0x0000000000000000, stop=78) at regex-emacs.c:4328:15
> 4325 DEBUG_PRINT ("EXECUTING anychar.\n");
> 4326
> 4327 PREFETCH ();
> -> 4328 buf_ch = RE_STRING_CHAR_AND_LENGTH (d, buf_charlen,
> 4329 target_multibyte);
> 4330 buf_ch = TRANSLATE (buf_ch);
> 4331 if (buf_ch == '\n')
> (lldb) p d
> (re_char *) $285 = 0x000000011f90d0a1 "magit-section-20220901.331/puny.dylib"
>
> That looks like part of the filename here:
>
> frame #10: 0x0000000100503cf4 emacs`Ffind_file_name_handler(filename=(struct Lisp_String *) $318 = 0x000000011f6ec4c0, operation=(struct Lisp_Symbol *) $321 = 0x00000001010ec310) at fileio.c:324:24
> 321 operations = Fget (handler, Qoperations);
> 322
> 323 if (STRINGP (string)
> -> 324 && (match_pos = fast_string_match (string, filename)) > pos
> 325 && (NILP (operations) || ! NILP (Fmemq (operation, operations))))
> 326 {
> 327 Lisp_Object tem;
> (lldb) p filename
> (Lisp_Object) $322 = 0x000000011f6ec4c4 (struct Lisp_String *) $324 = 0x000000011f6ec4c0
> (lldb) p *$324
> (struct Lisp_String) $325 = {
> u = {
> s = {
> size = 78
> size_byte = -1
> intervals = NULL
> data = 0x000000011f5d2f38 "/Users/gerd/.config/emacs.d.default/elpa/magit-section-20220901.331/puny.dylib"
> }
> next = 0x000000000000004e
> gcaligned = 'N'
> }
> }
>
> So, I'd say that the filename string data has been moved somewhere else
> during compaction. Which would mean GC somehow ran between the point
> where "d" in frame#5 was initially set up from the filename, and line
> 4328 where the problem is detected.
That part is clear, but the "GC somehow ran" part is not, and that is
the part which we must understand to fix the problem. The filename's
SSDATA is passed to re_search as a C string, under the assumption that
GC cannot happen while re_search runs. If that assumption is false,
we need to understand exactly how and in what cases, because without
that there's nothing we can do -- regex-emacs.c code deals explicitly
only with C strings.
IOW, this isn't the case like
char *ptr = SSDATA (lisp_string);
...
dereference (ptr);
where GC can happen as part of "...". Those cases are easy to fix.
But this is not that case.
> > I don't see how to answer
> > that question without understanding how redisplay was called in the
> > middle of what seems to be loading of a Lisp package, because none of
> > the items 1 and 3 show anything that could call redisplay.
>
> What I can see is that, apparently, redisplay got called because Emacs
> received a MacOS event, and did a prepare_menu_bars etc etc.
You mean, a macOS event can be received asynchronously, and will
interrupt some processing in C, like inside regex-emacs.c? If that
can happen, no code in Emacs is safe, ever. I don't believe this is
possible: we no longer process window-system events asynchronously,
AFAIK, and for this very reason. But maybe macOS is different? In
that case, either we should change the macOS code to avoid doing that,
or we should have some means of blocking such "interrupts" around
specific code fragments, akin to block_input.
> How that's possible, if it is, while Emacs is in between frame#10 and
> frame#5 I have not the slightest idea. And please note that this is all
> happening in the same thread T0, according to ASAN.
Yes, I've seen that it's the same thread. Having redisplay run from
another thread would be a larger disaster.
> Maybe someone knowing the Mac port has an idea if this can happen?
I hope so.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 7:22 ` Eli Zaretskii
@ 2022-10-05 7:34 ` Gerd Möllmann
2022-10-05 9:00 ` Gerd Möllmann
0 siblings, 1 reply; 65+ messages in thread
From: Gerd Möllmann @ 2022-10-05 7:34 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: 58042
Eli Zaretskii <eliz@gnu.org> writes:
>> What I can see is that, apparently, redisplay got called because Emacs
>> received a MacOS event, and did a prepare_menu_bars etc etc.
>
> You mean, a macOS event can be received asynchronously, and will
> interrupt some processing in C, like inside regex-emacs.c?
If it can, I don't know. But is the GC during redisplay is the one
moving the string, that would be the consequence, I think.
> If that can happen, no code in Emacs is safe, ever. I don't believe
> this is possible: we no longer process window-system events
> asynchronously, AFAIK, and for this very reason. But maybe macOS is
> different? In that case, either we should change the macOS code to
> avoid doing that, or we should have some means of blocking such
> "interrupts" around specific code fragments, akin to block_input.
Yeah. It would be good if that wouldn't happen ever, if it can.
If it can't happen, then the GC in redisplay that we see is not directly
related to all of this. and your question how redisplay can run while
matching is also off the table, I think. I don't know a way how that
could happen.
But some GC must run and move strings around. I don't know how else to
explain the invalid pointer.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 7:34 ` Gerd Möllmann
@ 2022-10-05 9:00 ` Gerd Möllmann
2022-10-05 9:23 ` Eli Zaretskii
0 siblings, 1 reply; 65+ messages in thread
From: Gerd Möllmann @ 2022-10-05 9:00 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: 58042
Gerd Möllmann <gerd.moellmann@gmail.com> writes:
> Eli Zaretskii <eliz@gnu.org> writes:
>
>>> What I can see is that, apparently, redisplay got called because Emacs
>>> received a MacOS event, and did a prepare_menu_bars etc etc.
>>
>> You mean, a macOS event can be received asynchronously, and will
>> interrupt some processing in C, like inside regex-emacs.c?
>
> If it can, I don't know. But is the GC during redisplay is the one
> moving the string, that would be the consequence, I think.
>
>> If that can happen, no code in Emacs is safe, ever. I don't believe
>> this is possible: we no longer process window-system events
>> asynchronously, AFAIK, and for this very reason. But maybe macOS is
>> different? In that case, either we should change the macOS code to
>> avoid doing that, or we should have some means of blocking such
>> "interrupts" around specific code fragments, akin to block_input.
>
> Yeah. It would be good if that wouldn't happen ever, if it can.
I just got another ASAN error in a branch based on master. It looks
completely different, but I find it eye-opening for our case. Look at
this:
==45724==ERROR: AddressSanitizer: heap-use-after-free on address 0x000107130d00 at pc 0x0001002a4b04 bp 0x00016fd155e0 sp 0x00016fd155d8
READ of size 8 at 0x000107130d00 thread T0
#0 0x1002a4b00 in PSEUDOVECTORP lisp.h:1110
#1 0x1002a4b70 in SYMBOL_WITH_POS_P lisp.h:1122
#2 0x10025a620 in EQ lisp.h:1342
#3 0x100281198 in run_window_change_functions window.c:3964
#4 0x1000f1bac in redisplay_internal xdisp.c:16600
#5 0x100107ee0 in redisplay xdisp.c:16111
#6 0x10089366c in -[EmacsView layoutSublayersOfLayer:] nsterm.m:8661
#7 0x1900a9624 in CA::Layer::layout_if_needed(CA::Transaction*)+0x224 (QuartzCore:arm64e+0x20624)
#8 0x1901f661c in CA::Context::commit_transaction(CA::Transaction*, double, double*)+0x1c0 (QuartzCore:arm64e+0x16d61c)
#9 0x19008b4c8 in CA::Transaction::commit()+0x2bc (QuartzCore:arm64e+0x24c8)
#10 0x18bee1698 in __62+[CATransaction(NSCATransaction) NS_setFlushesWithDisplayLink]_block_invoke+0x12c (AppKit:arm64e+0x1ac698)
#11 0x18c646754 in ___NSRunLoopObserverCreateWithHandler_block_invoke+0x3c (AppKit:arm64e+0x911754)
#12 0x1892101a0 in __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__+0x20 (CoreFoundation:arm64e+0x841a0)
#13 0x18920fff0 in __CFRunLoopDoObservers+0x24c (CoreFoundation:arm64e+0x83ff0)
#14 0x18920f524 in __CFRunLoopRun+0x300 (CoreFoundation:arm64e+0x83524)
#15 0x18920ea80 in CFRunLoopRunSpecific+0x254 (CoreFoundation:arm64e+0x82a80)
#16 0x191e4e334 in RunCurrentEventLoopInMode+0x120 (HIToolbox:arm64e+0x32334)
#17 0x191e4dfc0 in ReceiveNextEventCommon+0x140 (HIToolbox:arm64e+0x31fc0)
#18 0x191e4de64 in _BlockUntilNextEventMatchingListInModeWithFilter+0x44 (HIToolbox:arm64e+0x31e64)
#19 0x18bd76518 in _DPSNextEvent+0x358 (AppKit:arm64e+0x41518)
#20 0x18bd74e10 in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:]+0x52c (AppKit:arm64e+0x3fe10)
#21 0x18bd66fdc in -[NSApplication run]+0x250 (AppKit:arm64e+0x31fdc)
#22 0x100870bd0 in -[EmacsApp run] nsterm.m:5799
#23 0x1008c7b2c in ns_read_socket_1 nsterm.m:4679
#24 0x1008ae550 in ns_read_socket nsterm.m:4697
#25 0x100437394 in gobble_input keyboard.c:7379
#26 0x100438bfc in handle_async_input keyboard.c:7610
#27 0x100438bdc in process_pending_signals keyboard.c:7624
#28 0x10064bd90 in probably_quit eval.c:1657
#29 0x10065fe6c in maybe_quit lisp.h:3737
#30 0x10066cb7c in Fmemq fns.c:1837
#31 0x100645de8 in FletX eval.c:936
There is a path from maybe_quit to redisplay, and didn't we have
maybe_quit alreasy in the matcher code? Mind-boggling!
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 9:00 ` Gerd Möllmann
@ 2022-10-05 9:23 ` Eli Zaretskii
2022-10-05 10:14 ` Gerd Möllmann
0 siblings, 1 reply; 65+ messages in thread
From: Eli Zaretskii @ 2022-10-05 9:23 UTC (permalink / raw)
To: Gerd Möllmann; +Cc: 58042
> From: Gerd Möllmann <gerd.moellmann@gmail.com>
> Cc: 58042@debbugs.gnu.org
> Date: Wed, 05 Oct 2022 11:00:00 +0200
>
> ==45724==ERROR: AddressSanitizer: heap-use-after-free on address 0x000107130d00 at pc 0x0001002a4b04 bp 0x00016fd155e0 sp 0x00016fd155d8
> READ of size 8 at 0x000107130d00 thread T0
> #0 0x1002a4b00 in PSEUDOVECTORP lisp.h:1110
> #1 0x1002a4b70 in SYMBOL_WITH_POS_P lisp.h:1122
> #2 0x10025a620 in EQ lisp.h:1342
> #3 0x100281198 in run_window_change_functions window.c:3964
> #4 0x1000f1bac in redisplay_internal xdisp.c:16600
> #5 0x100107ee0 in redisplay xdisp.c:16111
> #6 0x10089366c in -[EmacsView layoutSublayersOfLayer:] nsterm.m:8661
> #7 0x1900a9624 in CA::Layer::layout_if_needed(CA::Transaction*)+0x224 (QuartzCore:arm64e+0x20624)
> #8 0x1901f661c in CA::Context::commit_transaction(CA::Transaction*, double, double*)+0x1c0 (QuartzCore:arm64e+0x16d61c)
> #9 0x19008b4c8 in CA::Transaction::commit()+0x2bc (QuartzCore:arm64e+0x24c8)
> #10 0x18bee1698 in __62+[CATransaction(NSCATransaction) NS_setFlushesWithDisplayLink]_block_invoke+0x12c (AppKit:arm64e+0x1ac698)
> #11 0x18c646754 in ___NSRunLoopObserverCreateWithHandler_block_invoke+0x3c (AppKit:arm64e+0x911754)
> #12 0x1892101a0 in __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__+0x20 (CoreFoundation:arm64e+0x841a0)
> #13 0x18920fff0 in __CFRunLoopDoObservers+0x24c (CoreFoundation:arm64e+0x83ff0)
> #14 0x18920f524 in __CFRunLoopRun+0x300 (CoreFoundation:arm64e+0x83524)
> #15 0x18920ea80 in CFRunLoopRunSpecific+0x254 (CoreFoundation:arm64e+0x82a80)
> #16 0x191e4e334 in RunCurrentEventLoopInMode+0x120 (HIToolbox:arm64e+0x32334)
> #17 0x191e4dfc0 in ReceiveNextEventCommon+0x140 (HIToolbox:arm64e+0x31fc0)
> #18 0x191e4de64 in _BlockUntilNextEventMatchingListInModeWithFilter+0x44 (HIToolbox:arm64e+0x31e64)
> #19 0x18bd76518 in _DPSNextEvent+0x358 (AppKit:arm64e+0x41518)
> #20 0x18bd74e10 in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:]+0x52c (AppKit:arm64e+0x3fe10)
> #21 0x18bd66fdc in -[NSApplication run]+0x250 (AppKit:arm64e+0x31fdc)
> #22 0x100870bd0 in -[EmacsApp run] nsterm.m:5799
> #23 0x1008c7b2c in ns_read_socket_1 nsterm.m:4679
> #24 0x1008ae550 in ns_read_socket nsterm.m:4697
> #25 0x100437394 in gobble_input keyboard.c:7379
> #26 0x100438bfc in handle_async_input keyboard.c:7610
> #27 0x100438bdc in process_pending_signals keyboard.c:7624
> #28 0x10064bd90 in probably_quit eval.c:1657
> #29 0x10065fe6c in maybe_quit lisp.h:3737
> #30 0x10066cb7c in Fmemq fns.c:1837
> #31 0x100645de8 in FletX eval.c:936
>
> There is a path from maybe_quit to redisplay, and didn't we have
> maybe_quit alreasy in the matcher code? Mind-boggling!
Ouch! This seems to be macOS-specific, though.
So I guess we should do this dance around calls to maybe_quit in
regex-emacs.c:
specpdl_ref gc_count = inhibit_garbage_collection ();
maybe_quit ();
unbind_to (gc_count, Qnil);
Or maybe even better, do this inside probably_quit (because who knows
how many other callers of maybe_quit could be hit by this unexpected
GC)?
Can you try this?
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 9:23 ` Eli Zaretskii
@ 2022-10-05 10:14 ` Gerd Möllmann
2022-10-05 10:24 ` Gerd Möllmann
2022-10-05 12:59 ` Eli Zaretskii
0 siblings, 2 replies; 65+ messages in thread
From: Gerd Möllmann @ 2022-10-05 10:14 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: Alan Third, 58042
Eli Zaretskii <eliz@gnu.org> writes:
> So I guess we should do this dance around calls to maybe_quit in
> regex-emacs.c:
>
> specpdl_ref gc_count = inhibit_garbage_collection ();
> maybe_quit ();
> unbind_to (gc_count, Qnil);
>
> Or maybe even better, do this inside probably_quit (because who knows
> how many other callers of maybe_quit could be hit by this unexpected
> GC)?
>
> Can you try this?
Isn't the -[EmacsView layoutSublayersOfLayer:] the problem? AFAICT from
a web search, this is an event handler method that is also called from
by the framework?
In the olden days, it was a serious error to call into Lisp from an
event handler. All bets were off when that happened, not only related
to GC. I believe that hasn't changed much.
That code was introduced by Alan around this time.
1ba02d85a964e1b2c6a9735cd3decdc524e06dc1
Author: Alan Third <alan@idiocy.org>
AuthorDate: Sat Jun 12 10:25:47 2021 +0100
Commit: Alan Third <alan@idiocy.org>
CommitDate: Sat Jul 31 11:13:05 2021 +0100
Maybe Allen can say something, I've CC'd him.
Or maybe we should add your fix, too?
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 10:14 ` Gerd Möllmann
@ 2022-10-05 10:24 ` Gerd Möllmann
2022-10-05 10:43 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 10:45 ` Gerd Möllmann
2022-10-05 12:59 ` Eli Zaretskii
1 sibling, 2 replies; 65+ messages in thread
From: Gerd Möllmann @ 2022-10-05 10:24 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: Po Lu, Alan Third, 58042
Gerd Möllmann <gerd.moellmann@gmail.com> writes:
> Eli Zaretskii <eliz@gnu.org> writes:
>
>> So I guess we should do this dance around calls to maybe_quit in
>> regex-emacs.c:
>>
>> specpdl_ref gc_count = inhibit_garbage_collection ();
>> maybe_quit ();
>> unbind_to (gc_count, Qnil);
>>
>> Or maybe even better, do this inside probably_quit (because who knows
>> how many other callers of maybe_quit could be hit by this unexpected
>> GC)?
>>
>> Can you try this?
>
> Isn't the -[EmacsView layoutSublayersOfLayer:] the problem? AFAICT from
> a web search, this is an event handler method that is also called from
> by the framework?
>
> In the olden days, it was a serious error to call into Lisp from an
> event handler. All bets were off when that happened, not only related
> to GC. I believe that hasn't changed much.
>
> That code was introduced by Alan around this time.
>
> 1ba02d85a964e1b2c6a9735cd3decdc524e06dc1
> Author: Alan Third <alan@idiocy.org>
> AuthorDate: Sat Jun 12 10:25:47 2021 +0100
> Commit: Alan Third <alan@idiocy.org>
> CommitDate: Sat Jul 31 11:13:05 2021 +0100
>
> Maybe Allen can say something, I've CC'd him.
>
> Or maybe we should add your fix, too?
And a similar question to Po Lu because of
f81065a91be5a54b78e202df6918aff443588ae1
Author: Po Lu <luangruo@yahoo.com>
AuthorDate: Mon May 30 16:03:11 2022 +0800
Commit: Po Lu <luangruo@yahoo.com>
CommitDate: Mon May 30 16:03:11 2022 +0800
which added a call to redisplay to - (NSDragOperation) draggingUpdated:
(id <NSDraggingInfo>) sender. Is that safe here?
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 10:24 ` Gerd Möllmann
@ 2022-10-05 10:43 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 10:49 ` Gerd Möllmann
2023-05-08 14:01 ` Stefan Monnier via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 10:45 ` Gerd Möllmann
1 sibling, 2 replies; 65+ messages in thread
From: Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors @ 2022-10-05 10:43 UTC (permalink / raw)
To: Gerd Möllmann; +Cc: Eli Zaretskii, 58042, Alan Third
Gerd Möllmann <gerd.moellmann@gmail.com> writes:
>> Isn't the -[EmacsView layoutSublayersOfLayer:] the problem? AFAICT from
>> a web search, this is an event handler method that is also called from
>> by the framework?
>>
>> In the olden days, it was a serious error to call into Lisp from an
>> event handler. All bets were off when that happened, not only related
>> to GC. I believe that hasn't changed much.
Today, event handling code calls Lisp all the time (through safe_call
etc.) That happens in handle_one_xevent, ns_select, et cetera.
It shouldn't affect GC at all because input is blocked for the entire
duration of each GC, except for when finalizers are run after unmarked
objects are sweeped.
So AFAIU it has been safe ever since read_socket_hook stopped being
called from a signal handler.
>> That code was introduced by Alan around this time.
>>
>> 1ba02d85a964e1b2c6a9735cd3decdc524e06dc1
>> Author: Alan Third <alan@idiocy.org>
>> AuthorDate: Sat Jun 12 10:25:47 2021 +0100
>> Commit: Alan Third <alan@idiocy.org>
>> CommitDate: Sat Jul 31 11:13:05 2021 +0100
>>
>> Maybe Allen can say something, I've CC'd him.
>>
>> Or maybe we should add your fix, too?
>
> And a similar question to Po Lu because of
>
> f81065a91be5a54b78e202df6918aff443588ae1
> Author: Po Lu <luangruo@yahoo.com>
> AuthorDate: Mon May 30 16:03:11 2022 +0800
> Commit: Po Lu <luangruo@yahoo.com>
> CommitDate: Mon May 30 16:03:11 2022 +0800
>
> which added a call to redisplay to - (NSDragOperation) draggingUpdated:
> (id <NSDraggingInfo>) sender. Is that safe here?
It should be safe there since we use safe_call, as the only problem
these days is that it isn't safe to longjmp out of an NS event handler.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 10:24 ` Gerd Möllmann
2022-10-05 10:43 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
@ 2022-10-05 10:45 ` Gerd Möllmann
2022-10-05 11:10 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 13:13 ` Eli Zaretskii
1 sibling, 2 replies; 65+ messages in thread
From: Gerd Möllmann @ 2022-10-05 10:45 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: Po Lu, Alan Third, 58042
Gerd Möllmann <gerd.moellmann@gmail.com> writes:
> Gerd Möllmann <gerd.moellmann@gmail.com> writes:
>
>> Eli Zaretskii <eliz@gnu.org> writes:
>>
>>> So I guess we should do this dance around calls to maybe_quit in
>>> regex-emacs.c:
>>>
>>> specpdl_ref gc_count = inhibit_garbage_collection ();
>>> maybe_quit ();
>>> unbind_to (gc_count, Qnil);
>>>
>>> Or maybe even better, do this inside probably_quit (because who knows
>>> how many other callers of maybe_quit could be hit by this unexpected
>>> GC)?
>>>
>>> Can you try this?
>>
>> Isn't the -[EmacsView layoutSublayersOfLayer:] the problem? AFAICT from
>> a web search, this is an event handler method that is also called from
>> by the framework?
>>
>> In the olden days, it was a serious error to call into Lisp from an
>> event handler. All bets were off when that happened, not only related
>> to GC. I believe that hasn't changed much.
>>
>> That code was introduced by Alan around this time.
>>
>> 1ba02d85a964e1b2c6a9735cd3decdc524e06dc1
>> Author: Alan Third <alan@idiocy.org>
>> AuthorDate: Sat Jun 12 10:25:47 2021 +0100
>> Commit: Alan Third <alan@idiocy.org>
>> CommitDate: Sat Jul 31 11:13:05 2021 +0100
>>
>> Maybe Allen can say something, I've CC'd him.
>>
>> Or maybe we should add your fix, too?
>
> And a similar question to Po Lu because of
>
> f81065a91be5a54b78e202df6918aff443588ae1
> Author: Po Lu <luangruo@yahoo.com>
> AuthorDate: Mon May 30 16:03:11 2022 +0800
> Commit: Po Lu <luangruo@yahoo.com>
> CommitDate: Mon May 30 16:03:11 2022 +0800
>
> which added a call to redisplay to - (NSDragOperation) draggingUpdated:
> (id <NSDraggingInfo>) sender. Is that safe here?
And an update to the second ASAN error that I could actually reproduce
by starting Emacs on my branch:
==64010==ERROR: AddressSanitizer: heap-use-after-free on address 0x000107130d00 at pc 0x0001002a48d8 bp 0x00016fdcaa80 sp 0x00016fdcaa78
READ of size 8 at 0x000107130d00 thread T0
#0 0x1002a48d4 in PSEUDOVECTORP lisp.h:1110
#1 0x1002a4944 in SYMBOL_WITH_POS_P lisp.h:1122
#2 0x10025a3f4 in EQ lisp.h:1342
#3 0x100280f6c in run_window_change_functions window.c:3964
#4 0x1000f1980 in redisplay_internal xdisp.c:16600
#5 0x100107cb4 in redisplay xdisp.c:16111
#6 0x10089364c in -[EmacsView layoutSublayersOfLayer:] nsterm.m:8661
#7 0x1900a9624 in CA::Layer::layout_if_needed(CA::Transaction*)+0x224 (QuartzCore:arm64e+0x20624)
#8 0x1901f661c in CA::Context::commit_transaction(CA::Transaction*, double, double*)+0x1c0 (QuartzCore:arm64e+0x16d61c)
#9 0x19008b4c8 in CA::Transaction::commit()+0x2bc (QuartzCore:arm64e+0x24c8)
#10 0x18bee1698 in __62+[CATransaction(NSCATransaction) NS_setFlushesWithDisplayLink]_block_invoke+0x12c (AppKit:arm64e+0x1ac698)
#11 0x18c646754 in ___NSRunLoopObserverCreateWithHandler_block_invoke+0x3c (AppKit:arm64e+0x911754)
#12 0x1892101a0 in __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__+0x20 (CoreFoundation:arm64e+0x841a0)
#13 0x18920fff0 in __CFRunLoopDoObservers+0x24c (CoreFoundation:arm64e+0x83ff0)
#14 0x18920f524 in __CFRunLoopRun+0x300 (CoreFoundation:arm64e+0x83524)
#15 0x18920ea80 in CFRunLoopRunSpecific+0x254 (CoreFoundation:arm64e+0x82a80)
#16 0x191e4e334 in RunCurrentEventLoopInMode+0x120 (HIToolbox:arm64e+0x32334)
#17 0x191e4dfc0 in ReceiveNextEventCommon+0x140 (HIToolbox:arm64e+0x31fc0)
#18 0x191e4de64 in _BlockUntilNextEventMatchingListInModeWithFilter+0x44 (HIToolbox:arm64e+0x31e64)
#19 0x18bd76518 in _DPSNextEvent+0x358 (AppKit:arm64e+0x41518)
#20 0x18bd74e10 in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:]+0x52c (AppKit:arm64e+0x3fe10)
#21 0x18bd66fdc in -[NSApplication run]+0x250 (AppKit:arm64e+0x31fdc)
#22 0x100870bb0 in -[EmacsApp run] nsterm.m:5799
#23 0x1008c7b0c in ns_read_socket_1 nsterm.m:4679
#24 0x1008ae530 in ns_read_socket nsterm.m:4697
#25 0x100437168 in gobble_input keyboard.c:7379
#26 0x1004389d0 in handle_async_input keyboard.c:7610
#27 0x1004389b0 in process_pending_signals keyboard.c:7624
#28 0x100438acc in unblock_input_to keyboard.c:7639
#29 0x100432cac in unblock_input keyboard.c:7658
#30 0x1005ba024 in garbage_collect alloc.c:6256
#31 0x1005b950c in maybe_garbage_collect alloc.c:6090
#32 0x10064f6a8 in maybe_gc lisp.h:5622
#33 0x10063fcfc in eval_sub eval.c:2388
#34 0x100640838 in eval_sub eval.c:2449
#35 0x10064234c in Fprogn eval.c:436
#36 0x100654eb8 in funcall_lambda eval.c:3218
#37 0x1006532c4 in funcall_general eval.c:2941
#38 0x100647fcc in Ffuncall eval.c:2979
#39 0x100651ca8 in Fapply eval.c:2650
#40 0x10063ead8 in apply1 eval.c:2866
#41 0x1006484bc in Fmacroexpand eval.c:1149
#42 0x10065394c in funcall_subr eval.c:3019
#43 0x10072e004 in exec_byte_code bytecode.c:809
#44 0x10065c16c in fetch_and_exec_byte_code eval.c:3066
#45 0x100654994 in funcall_lambda eval.c:3138
#46 0x10065316c in funcall_general eval.c:2929
#47 0x100647fcc in Ffuncall eval.c:2979
#48 0x1006fcd80 in call2 lisp.h:3302
#49 0x1006f4ecc in readevalloop_eager_expand_eval lread.c:2151
#50 0x1006e0b0c in readevalloop lread.c:2343
#51 0x1006e236c in Feval_buffer lread.c:2416
#52 0x100653d24 in funcall_subr eval.c:3025
#53 0x10072e004 in exec_byte_code bytecode.c:809
#54 0x10065c16c in fetch_and_exec_byte_code eval.c:3066
#55 0x100654994 in funcall_lambda eval.c:3138
#56 0x10065316c in funcall_general eval.c:2929
#57 0x100647fcc in Ffuncall eval.c:2979
#58 0x1006ddfe8 in call4 lisp.h:3317
#59 0x1006d9058 in Fload lread.c:1483
#60 0x1006e1158 in save_match_data_load lread.c:1636
#61 0x10064e9c8 in load_with_autoload_queue eval.c:2271
#62 0x10067cb40 in Frequire fns.c:3308
#63 0x100653a54 in funcall_subr eval.c:3021
#64 0x10072e004 in exec_byte_code bytecode.c:809
#65 0x10065c16c in fetch_and_exec_byte_code eval.c:3066
#66 0x100654994 in funcall_lambda eval.c:3138
#67 0x10065316c in funcall_general eval.c:2929
#68 0x100647fcc in Ffuncall eval.c:2979
#69 0x100651ca8 in Fapply eval.c:2650
#70 0x100654414 in funcall_subr eval.c:3044
#71 0x10072e004 in exec_byte_code bytecode.c:809
#72 0x10065c16c in fetch_and_exec_byte_code eval.c:3066
#73 0x100654994 in funcall_lambda eval.c:3138
#74 0x100650834 in apply_lambda eval.c:3088
#75 0x100641734 in eval_sub eval.c:2529
#76 0x1006f5394 in readevalloop_eager_expand_eval lread.c:2160
#77 0x1006e0b0c in readevalloop lread.c:2343
#78 0x1006e236c in Feval_buffer lread.c:2416
#79 0x100653d24 in funcall_subr eval.c:3025
#80 0x10072e004 in exec_byte_code bytecode.c:809
#81 0x10065c16c in fetch_and_exec_byte_code eval.c:3066
#82 0x100654994 in funcall_lambda eval.c:3138
#83 0x10065316c in funcall_general eval.c:2929
#84 0x100647fcc in Ffuncall eval.c:2979
#85 0x1006ddfe8 in call4 lisp.h:3317
#86 0x1006d9058 in Fload lread.c:1483
#87 0x1006410e8 in eval_sub eval.c:2496
#88 0x10064234c in Fprogn eval.c:436
#89 0x100646c90 in Flet eval.c:1023
#90 0x1006403e0 in eval_sub eval.c:2435
#91 0x10064234c in Fprogn eval.c:436
#92 0x100654eb8 in funcall_lambda eval.c:3218
#93 0x100650834 in apply_lambda eval.c:3088
#94 0x100641c68 in eval_sub eval.c:2572
#95 0x1006f5394 in readevalloop_eager_expand_eval lread.c:2160
#96 0x1006e0b0c in readevalloop lread.c:2343
#97 0x1006e236c in Feval_buffer lread.c:2416
#98 0x100653d24 in funcall_subr eval.c:3025
#99 0x10072e004 in exec_byte_code bytecode.c:809
#100 0x10065c16c in fetch_and_exec_byte_code eval.c:3066
#101 0x100654994 in funcall_lambda eval.c:3138
#102 0x10065316c in funcall_general eval.c:2929
#103 0x100647fcc in Ffuncall eval.c:2979
#104 0x1006ddfe8 in call4 lisp.h:3317
#105 0x1006d9058 in Fload lread.c:1483
#106 0x100653d24 in funcall_subr eval.c:3025
#107 0x10072e004 in exec_byte_code bytecode.c:809
#108 0x10065c16c in fetch_and_exec_byte_code eval.c:3066
#109 0x100654994 in funcall_lambda eval.c:3138
#110 0x100650834 in apply_lambda eval.c:3088
#111 0x100641734 in eval_sub eval.c:2529
#112 0x10064efb0 in Feval eval.c:2345
#113 0x100451650 in top_level_2 keyboard.c:1141
#114 0x10064a318 in internal_condition_case eval.c:1471
#115 0x100451564 in top_level_1 keyboard.c:1149
#116 0x100648aa4 in internal_catch eval.c:1194
#117 0x100416f04 in command_loop keyboard.c:1109
#118 0x100416994 in recursive_edit_1 keyboard.c:719
#119 0x100417950 in Frecursive_edit keyboard.c:802
#120 0x10040fb00 in main emacs.c:2515
#121 0x101549088 in start+0x204 (dyld:arm64e+0x5088)
That is redisplay during garbage_collect!
The change to probably_quit didn't help. Commenting out the call to
redisplay in the layout stuff did.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 10:43 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
@ 2022-10-05 10:49 ` Gerd Möllmann
2022-10-05 11:10 ` Gerd Möllmann
2023-05-08 14:01 ` Stefan Monnier via Bug reports for GNU Emacs, the Swiss army knife of text editors
1 sibling, 1 reply; 65+ messages in thread
From: Gerd Möllmann @ 2022-10-05 10:49 UTC (permalink / raw)
To: Po Lu; +Cc: Eli Zaretskii, 58042, Alan Third
Po Lu <luangruo@yahoo.com> writes:
> Gerd Möllmann <gerd.moellmann@gmail.com> writes:
>
>>> Isn't the -[EmacsView layoutSublayersOfLayer:] the problem? AFAICT from
>>> a web search, this is an event handler method that is also called from
>>> by the framework?
>>>
>>> In the olden days, it was a serious error to call into Lisp from an
>>> event handler. All bets were off when that happened, not only related
>>> to GC. I believe that hasn't changed much.
>
> Today, event handling code calls Lisp all the time (through safe_call
> etc.) That happens in handle_one_xevent, ns_select, et cetera.
>
> It shouldn't affect GC at all because input is blocked for the entire
> duration of each GC, except for when finalizers are run after unmarked
> objects are sweeped.
>
> So AFAIU it has been safe ever since read_socket_hook stopped being
> called from a signal handler.
>
>>> That code was introduced by Alan around this time.
>>>
>>> 1ba02d85a964e1b2c6a9735cd3decdc524e06dc1
>>> Author: Alan Third <alan@idiocy.org>
>>> AuthorDate: Sat Jun 12 10:25:47 2021 +0100
>>> Commit: Alan Third <alan@idiocy.org>
>>> CommitDate: Sat Jul 31 11:13:05 2021 +0100
>>>
>>> Maybe Allen can say something, I've CC'd him.
>>>
>>> Or maybe we should add your fix, too?
>>
>> And a similar question to Po Lu because of
>>
>> f81065a91be5a54b78e202df6918aff443588ae1
>> Author: Po Lu <luangruo@yahoo.com>
>> AuthorDate: Mon May 30 16:03:11 2022 +0800
>> Commit: Po Lu <luangruo@yahoo.com>
>> CommitDate: Mon May 30 16:03:11 2022 +0800
>>
>> which added a call to redisplay to - (NSDragOperation) draggingUpdated:
>> (id <NSDraggingInfo>) sender. Is that safe here?
>
> It should be safe there since we use safe_call, as the only problem
> these days is that it isn't safe to longjmp out of an NS event handler.
Ok, I can't say much to this. But please look at the my latest post.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 10:45 ` Gerd Möllmann
@ 2022-10-05 11:10 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 11:15 ` Gerd Möllmann
2022-10-05 13:39 ` Eli Zaretskii
2022-10-05 13:13 ` Eli Zaretskii
1 sibling, 2 replies; 65+ messages in thread
From: Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors @ 2022-10-05 11:10 UTC (permalink / raw)
To: Gerd Möllmann; +Cc: Eli Zaretskii, 58042, Alan Third
Gerd Möllmann <gerd.moellmann@gmail.com> writes:
> And an update to the second ASAN error that I could actually reproduce
> by starting Emacs on my branch:
>
> ==64010==ERROR: AddressSanitizer: heap-use-after-free on address 0x000107130d00 at pc 0x0001002a48d8 bp 0x00016fdcaa80 sp 0x00016fdcaa78
> READ of size 8 at 0x000107130d00 thread T0
> #0 0x1002a48d4 in PSEUDOVECTORP lisp.h:1110
> #1 0x1002a4944 in SYMBOL_WITH_POS_P lisp.h:1122
> #2 0x10025a3f4 in EQ lisp.h:1342
> #3 0x100280f6c in run_window_change_functions window.c:3964
> #4 0x1000f1980 in redisplay_internal xdisp.c:16600
> #5 0x100107cb4 in redisplay xdisp.c:16111
> #6 0x10089364c in -[EmacsView layoutSublayersOfLayer:] nsterm.m:8661
> #7 0x1900a9624 in CA::Layer::layout_if_needed(CA::Transaction*)+0x224 (QuartzCore:arm64e+0x20624)
> #8 0x1901f661c in CA::Context::commit_transaction(CA::Transaction*, double, double*)+0x1c0 (QuartzCore:arm64e+0x16d61c)
> #9 0x19008b4c8 in CA::Transaction::commit()+0x2bc (QuartzCore:arm64e+0x24c8)
> #10 0x18bee1698 in __62+[CATransaction(NSCATransaction) NS_setFlushesWithDisplayLink]_block_invoke+0x12c (AppKit:arm64e+0x1ac698)
> #11 0x18c646754 in ___NSRunLoopObserverCreateWithHandler_block_invoke+0x3c (AppKit:arm64e+0x911754)
> #12 0x1892101a0 in __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__+0x20 (CoreFoundation:arm64e+0x841a0)
> #13 0x18920fff0 in __CFRunLoopDoObservers+0x24c (CoreFoundation:arm64e+0x83ff0)
> #14 0x18920f524 in __CFRunLoopRun+0x300 (CoreFoundation:arm64e+0x83524)
> #15 0x18920ea80 in CFRunLoopRunSpecific+0x254 (CoreFoundation:arm64e+0x82a80)
> #16 0x191e4e334 in RunCurrentEventLoopInMode+0x120 (HIToolbox:arm64e+0x32334)
> #17 0x191e4dfc0 in ReceiveNextEventCommon+0x140 (HIToolbox:arm64e+0x31fc0)
> #18 0x191e4de64 in _BlockUntilNextEventMatchingListInModeWithFilter+0x44 (HIToolbox:arm64e+0x31e64)
> #19 0x18bd76518 in _DPSNextEvent+0x358 (AppKit:arm64e+0x41518)
> #20 0x18bd74e10 in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:]+0x52c (AppKit:arm64e+0x3fe10)
> #21 0x18bd66fdc in -[NSApplication run]+0x250 (AppKit:arm64e+0x31fdc)
> #22 0x100870bb0 in -[EmacsApp run] nsterm.m:5799
> #23 0x1008c7b0c in ns_read_socket_1 nsterm.m:4679
> #24 0x1008ae530 in ns_read_socket nsterm.m:4697
> #25 0x100437168 in gobble_input keyboard.c:7379
> #26 0x1004389d0 in handle_async_input keyboard.c:7610
> #27 0x1004389b0 in process_pending_signals keyboard.c:7624
> #28 0x100438acc in unblock_input_to keyboard.c:7639
> #29 0x100432cac in unblock_input keyboard.c:7658
> #30 0x1005ba024 in garbage_collect alloc.c:6256
> #31 0x1005b950c in maybe_garbage_collect alloc.c:6090
> #32 0x10064f6a8 in maybe_gc lisp.h:5622
> #33 0x10063fcfc in eval_sub eval.c:2388
> #34 0x100640838 in eval_sub eval.c:2449
> #35 0x10064234c in Fprogn eval.c:436
> #36 0x100654eb8 in funcall_lambda eval.c:3218
> #37 0x1006532c4 in funcall_general eval.c:2941
> #38 0x100647fcc in Ffuncall eval.c:2979
> #39 0x100651ca8 in Fapply eval.c:2650
> #40 0x10063ead8 in apply1 eval.c:2866
> #41 0x1006484bc in Fmacroexpand eval.c:1149
> #42 0x10065394c in funcall_subr eval.c:3019
> #43 0x10072e004 in exec_byte_code bytecode.c:809
> #44 0x10065c16c in fetch_and_exec_byte_code eval.c:3066
> #45 0x100654994 in funcall_lambda eval.c:3138
> #46 0x10065316c in funcall_general eval.c:2929
> #47 0x100647fcc in Ffuncall eval.c:2979
> #48 0x1006fcd80 in call2 lisp.h:3302
> #49 0x1006f4ecc in readevalloop_eager_expand_eval lread.c:2151
> #50 0x1006e0b0c in readevalloop lread.c:2343
> #51 0x1006e236c in Feval_buffer lread.c:2416
> #52 0x100653d24 in funcall_subr eval.c:3025
> #53 0x10072e004 in exec_byte_code bytecode.c:809
> #54 0x10065c16c in fetch_and_exec_byte_code eval.c:3066
> #55 0x100654994 in funcall_lambda eval.c:3138
> #56 0x10065316c in funcall_general eval.c:2929
> #57 0x100647fcc in Ffuncall eval.c:2979
> #58 0x1006ddfe8 in call4 lisp.h:3317
> #59 0x1006d9058 in Fload lread.c:1483
> #60 0x1006e1158 in save_match_data_load lread.c:1636
> #61 0x10064e9c8 in load_with_autoload_queue eval.c:2271
> #62 0x10067cb40 in Frequire fns.c:3308
> #63 0x100653a54 in funcall_subr eval.c:3021
> #64 0x10072e004 in exec_byte_code bytecode.c:809
> #65 0x10065c16c in fetch_and_exec_byte_code eval.c:3066
> #66 0x100654994 in funcall_lambda eval.c:3138
> #67 0x10065316c in funcall_general eval.c:2929
> #68 0x100647fcc in Ffuncall eval.c:2979
> #69 0x100651ca8 in Fapply eval.c:2650
> #70 0x100654414 in funcall_subr eval.c:3044
> #71 0x10072e004 in exec_byte_code bytecode.c:809
> #72 0x10065c16c in fetch_and_exec_byte_code eval.c:3066
> #73 0x100654994 in funcall_lambda eval.c:3138
> #74 0x100650834 in apply_lambda eval.c:3088
> #75 0x100641734 in eval_sub eval.c:2529
> #76 0x1006f5394 in readevalloop_eager_expand_eval lread.c:2160
> #77 0x1006e0b0c in readevalloop lread.c:2343
> #78 0x1006e236c in Feval_buffer lread.c:2416
> #79 0x100653d24 in funcall_subr eval.c:3025
> #80 0x10072e004 in exec_byte_code bytecode.c:809
> #81 0x10065c16c in fetch_and_exec_byte_code eval.c:3066
> #82 0x100654994 in funcall_lambda eval.c:3138
> #83 0x10065316c in funcall_general eval.c:2929
> #84 0x100647fcc in Ffuncall eval.c:2979
> #85 0x1006ddfe8 in call4 lisp.h:3317
> #86 0x1006d9058 in Fload lread.c:1483
> #87 0x1006410e8 in eval_sub eval.c:2496
> #88 0x10064234c in Fprogn eval.c:436
> #89 0x100646c90 in Flet eval.c:1023
> #90 0x1006403e0 in eval_sub eval.c:2435
> #91 0x10064234c in Fprogn eval.c:436
> #92 0x100654eb8 in funcall_lambda eval.c:3218
> #93 0x100650834 in apply_lambda eval.c:3088
> #94 0x100641c68 in eval_sub eval.c:2572
> #95 0x1006f5394 in readevalloop_eager_expand_eval lread.c:2160
> #96 0x1006e0b0c in readevalloop lread.c:2343
> #97 0x1006e236c in Feval_buffer lread.c:2416
> #98 0x100653d24 in funcall_subr eval.c:3025
> #99 0x10072e004 in exec_byte_code bytecode.c:809
> #100 0x10065c16c in fetch_and_exec_byte_code eval.c:3066
> #101 0x100654994 in funcall_lambda eval.c:3138
> #102 0x10065316c in funcall_general eval.c:2929
> #103 0x100647fcc in Ffuncall eval.c:2979
> #104 0x1006ddfe8 in call4 lisp.h:3317
> #105 0x1006d9058 in Fload lread.c:1483
> #106 0x100653d24 in funcall_subr eval.c:3025
> #107 0x10072e004 in exec_byte_code bytecode.c:809
> #108 0x10065c16c in fetch_and_exec_byte_code eval.c:3066
> #109 0x100654994 in funcall_lambda eval.c:3138
> #110 0x100650834 in apply_lambda eval.c:3088
> #111 0x100641734 in eval_sub eval.c:2529
> #112 0x10064efb0 in Feval eval.c:2345
> #113 0x100451650 in top_level_2 keyboard.c:1141
> #114 0x10064a318 in internal_condition_case eval.c:1471
> #115 0x100451564 in top_level_1 keyboard.c:1149
> #116 0x100648aa4 in internal_catch eval.c:1194
> #117 0x100416f04 in command_loop keyboard.c:1109
> #118 0x100416994 in recursive_edit_1 keyboard.c:719
> #119 0x100417950 in Frecursive_edit keyboard.c:802
> #120 0x10040fb00 in main emacs.c:2515
> #121 0x101549088 in start+0x204 (dyld:arm64e+0x5088)
>
> That is redisplay during garbage_collect!
Yes, but that is redisplay after the main part of garbage_collect is
over: after that unblock_input, we even run finalizers (Lisp code)
straight from garbage_collect.
I'm going to guess that window_sub_list is returning a window that was
not marked during GC. It's a problem that also exists with my
incremental garbage collector. Does this help?
diff --git a/src/alloc.c b/src/alloc.c
index 419c5e558b..522925d248 100644
--- a/src/alloc.c
+++ b/src/alloc.c
@@ -6634,6 +6634,9 @@ mark_window (struct Lisp_Vector *ptr)
mark_glyph_matrix (w->desired_matrix);
}
+ if (w->next)
+ mark_window (w->next);
+
/* Filter out killed buffers from both buffer lists
in attempt to help GC to reclaim killed buffers faster.
We can do it elsewhere for live windows, but this is the
^ permalink raw reply related [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 10:49 ` Gerd Möllmann
@ 2022-10-05 11:10 ` Gerd Möllmann
2022-10-05 11:15 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 13:27 ` Eli Zaretskii
0 siblings, 2 replies; 65+ messages in thread
From: Gerd Möllmann @ 2022-10-05 11:10 UTC (permalink / raw)
To: Po Lu; +Cc: Eli Zaretskii, 58042, Alan Third
Can somone please help me understand how this works?
Let's say we are in memq called for list L. Fmemq uses FOR_EACH_TAIL,
which can call maybe_quit, which executes arbitrary Lisp, which can
modify L. And probably similarly in another 100 places.
I don't get it.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 11:10 ` Gerd Möllmann
@ 2022-10-05 11:15 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 11:37 ` Gerd Möllmann
2022-10-05 13:37 ` Eli Zaretskii
2022-10-05 13:27 ` Eli Zaretskii
1 sibling, 2 replies; 65+ messages in thread
From: Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors @ 2022-10-05 11:15 UTC (permalink / raw)
To: Gerd Möllmann; +Cc: Eli Zaretskii, 58042, Alan Third
Gerd Möllmann <gerd.moellmann@gmail.com> writes:
> Can somone please help me understand how this works?
>
> Let's say we are in memq called for list L. Fmemq uses FOR_EACH_TAIL,
> which can call maybe_quit, which executes arbitrary Lisp, which can
> modify L. And probably similarly in another 100 places.
>
> I don't get it.
AFAIU if it is particularly dangerous to modify L there, then input
should be blocked around Fmemq.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 11:10 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
@ 2022-10-05 11:15 ` Gerd Möllmann
2022-10-05 11:23 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 12:05 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 13:39 ` Eli Zaretskii
1 sibling, 2 replies; 65+ messages in thread
From: Gerd Möllmann @ 2022-10-05 11:15 UTC (permalink / raw)
To: Po Lu; +Cc: Eli Zaretskii, 58042, Alan Third
Po Lu <luangruo@yahoo.com> writes:
> I'm going to guess that window_sub_list is returning a window that was
> not marked during GC. It's a problem that also exists with my
> incremental garbage collector. Does this help?
>
> diff --git a/src/alloc.c b/src/alloc.c
> index 419c5e558b..522925d248 100644
> --- a/src/alloc.c
> +++ b/src/alloc.c
> @@ -6634,6 +6634,9 @@ mark_window (struct Lisp_Vector *ptr)
> mark_glyph_matrix (w->desired_matrix);
> }
>
> + if (w->next)
> + mark_window (w->next);
> +
> /* Filter out killed buffers from both buffer lists
> in attempt to help GC to reclaim killed buffers faster.
> We can do it elsewhere for live windows, but this is the
Indeed, that seems to work!
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 11:15 ` Gerd Möllmann
@ 2022-10-05 11:23 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 11:35 ` Gerd Möllmann
` (2 more replies)
2022-10-05 12:05 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
1 sibling, 3 replies; 65+ messages in thread
From: Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors @ 2022-10-05 11:23 UTC (permalink / raw)
To: Gerd Möllmann; +Cc: Eli Zaretskii, 58042, Alan Third
Gerd Möllmann <gerd.moellmann@gmail.com> writes:
> Po Lu <luangruo@yahoo.com> writes:
>
>> I'm going to guess that window_sub_list is returning a window that was
>> not marked during GC. It's a problem that also exists with my
>> incremental garbage collector. Does this help?
>>
>> diff --git a/src/alloc.c b/src/alloc.c
>> index 419c5e558b..522925d248 100644
>> --- a/src/alloc.c
>> +++ b/src/alloc.c
>> @@ -6634,6 +6634,9 @@ mark_window (struct Lisp_Vector *ptr)
>> mark_glyph_matrix (w->desired_matrix);
>> }
>>
>> + if (w->next)
>> + mark_window (w->next);
>> +
>> /* Filter out killed buffers from both buffer lists
>> in attempt to help GC to reclaim killed buffers faster.
>> We can do it elsewhere for live windows, but this is the
>
> Indeed, that seems to work!
Right. I've not had the time to investigate why unmarked windows remain
in the window tree, so I have the equivalent of that in my incremental
garbage collector.
I think there is an implicit assumption being made (for example, about a
list where all live windows are put) somewhere that is being broken, but
I haven't found where.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 11:23 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
@ 2022-10-05 11:35 ` Gerd Möllmann
2022-10-05 12:02 ` Gerd Möllmann
2022-10-05 13:40 ` Eli Zaretskii
2 siblings, 0 replies; 65+ messages in thread
From: Gerd Möllmann @ 2022-10-05 11:35 UTC (permalink / raw)
To: Po Lu; +Cc: Eli Zaretskii, 58042, Alan Third
Po Lu <luangruo@yahoo.com> writes:
>> Indeed, that seems to work!
>
> Right. I've not had the time to investigate why unmarked windows remain
> in the window tree, so I have the equivalent of that in my incremental
> garbage collector.
Thanks! At least one GC-related bug less, if you put that in.
And with Eli's proposed patch 2. I've added that to my local branch,
but it took long for the re_match case to re-appear, so maybe it should
be put into master as well, so that more people test if it has adverse
effects.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 11:15 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
@ 2022-10-05 11:37 ` Gerd Möllmann
2022-10-05 13:37 ` Eli Zaretskii
1 sibling, 0 replies; 65+ messages in thread
From: Gerd Möllmann @ 2022-10-05 11:37 UTC (permalink / raw)
To: Po Lu; +Cc: Eli Zaretskii, 58042, Alan Third
Po Lu <luangruo@yahoo.com> writes:
> AFAIU if it is particularly dangerous to modify L there, then input
> should be blocked around Fmemq.
Thanks!
(I'll pretend I don't know about this in the future :-).
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 11:23 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 11:35 ` Gerd Möllmann
@ 2022-10-05 12:02 ` Gerd Möllmann
2022-10-05 12:08 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 13:40 ` Eli Zaretskii
2 siblings, 1 reply; 65+ messages in thread
From: Gerd Möllmann @ 2022-10-05 12:02 UTC (permalink / raw)
To: Po Lu; +Cc: Eli Zaretskii, 58042, Alan Third
Po Lu <luangruo@yahoo.com> writes:
> Gerd Möllmann <gerd.moellmann@gmail.com> writes:
>
>> Po Lu <luangruo@yahoo.com> writes:
>>
>>> I'm going to guess that window_sub_list is returning a window that was
>>> not marked during GC. It's a problem that also exists with my
>>> incremental garbage collector. Does this help?
>>>
>>> diff --git a/src/alloc.c b/src/alloc.c
>>> index 419c5e558b..522925d248 100644
>>> --- a/src/alloc.c
>>> +++ b/src/alloc.c
>>> @@ -6634,6 +6634,9 @@ mark_window (struct Lisp_Vector *ptr)
>>> mark_glyph_matrix (w->desired_matrix);
>>> }
>>>
>>> + if (w->next)
>>> + mark_window (w->next);
>>> +
>>> /* Filter out killed buffers from both buffer lists
>>> in attempt to help GC to reclaim killed buffers faster.
>>> We can do it elsewhere for live windows, but this is the
>>
>> Indeed, that seems to work!
In case it matters--I didn't mention that I actually used the change
below, because w->next is a Lisp_Object in master.
diff --git a/src/alloc.c b/src/alloc.c
index 419c5e558b..826ff1dba5 100644
--- a/src/alloc.c
+++ b/src/alloc.c
@@ -6625,6 +6625,9 @@ mark_window (struct Lisp_Vector *ptr)
mark_vectorlike (&ptr->header);
+ if (!NILP (w->next))
+ mark_object (w->next);
+
/* Mark glyph matrices, if any. Marking window
matrices is sufficient because frame matrices
use the same glyph memory. */
^ permalink raw reply related [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 11:15 ` Gerd Möllmann
2022-10-05 11:23 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
@ 2022-10-05 12:05 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 12:32 ` Gerd Möllmann
1 sibling, 1 reply; 65+ messages in thread
From: Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors @ 2022-10-05 12:05 UTC (permalink / raw)
To: Gerd Möllmann; +Cc: Eli Zaretskii, 58042, Alan Third
Gerd Möllmann <gerd.moellmann@gmail.com> writes:
> Po Lu <luangruo@yahoo.com> writes:
>
>> I'm going to guess that window_sub_list is returning a window that was
>> not marked during GC. It's a problem that also exists with my
>> incremental garbage collector. Does this help?
>>
>> diff --git a/src/alloc.c b/src/alloc.c
>> index 419c5e558b..522925d248 100644
>> --- a/src/alloc.c
>> +++ b/src/alloc.c
>> @@ -6634,6 +6634,9 @@ mark_window (struct Lisp_Vector *ptr)
>> mark_glyph_matrix (w->desired_matrix);
>> }
>>
>> + if (w->next)
>> + mark_window (w->next);
>> +
>> /* Filter out killed buffers from both buffer lists
>> in attempt to help GC to reclaim killed buffers faster.
>> We can do it elsewhere for live windows, but this is the
>
> Indeed, that seems to work!
Could you please replace that code with:
if (!NILP (w->next)
&& !vectorlike_marked_p (&XWINDOW (w->next)->header))
emacs_abort ();
And see if Emacs ever aborts?
I just remembered that the old garbage collector does not work the same
way as the one in my branch, so that bug shouldn't be possible.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 12:02 ` Gerd Möllmann
@ 2022-10-05 12:08 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
0 siblings, 0 replies; 65+ messages in thread
From: Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors @ 2022-10-05 12:08 UTC (permalink / raw)
To: Gerd Möllmann; +Cc: Eli Zaretskii, 58042, Alan Third
Gerd Möllmann <gerd.moellmann@gmail.com> writes:
> In case it matters--I didn't mention that I actually used the change
> below, because w->next is a Lisp_Object in master.
I sent another reply to that message you should read.
w->next is struct window * in my branch, but in the ordinary garbage
collector mark_vectorlike should itself mark all fields between frame
and mode_line_help_echo.
So if that mechanism isn't working correctly, then we have a bigger
problem on hand.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 12:05 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
@ 2022-10-05 12:32 ` Gerd Möllmann
2022-10-05 12:38 ` Gerd Möllmann
2022-10-05 12:48 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
0 siblings, 2 replies; 65+ messages in thread
From: Gerd Möllmann @ 2022-10-05 12:32 UTC (permalink / raw)
To: Po Lu; +Cc: Eli Zaretskii, 58042, Alan Third
Po Lu <luangruo@yahoo.com> writes:
> Gerd Möllmann <gerd.moellmann@gmail.com> writes:
>
>> Po Lu <luangruo@yahoo.com> writes:
>>
>>> I'm going to guess that window_sub_list is returning a window that was
>>> not marked during GC. It's a problem that also exists with my
>>> incremental garbage collector. Does this help?
>>>
>>> diff --git a/src/alloc.c b/src/alloc.c
>>> index 419c5e558b..522925d248 100644
>>> --- a/src/alloc.c
>>> +++ b/src/alloc.c
>>> @@ -6634,6 +6634,9 @@ mark_window (struct Lisp_Vector *ptr)
>>> mark_glyph_matrix (w->desired_matrix);
>>> }
>>>
>>> + if (w->next)
>>> + mark_window (w->next);
>>> +
>>> /* Filter out killed buffers from both buffer lists
>>> in attempt to help GC to reclaim killed buffers faster.
>>> We can do it elsewhere for live windows, but this is the
>>
>> Indeed, that seems to work!
>
> Could you please replace that code with:
>
> if (!NILP (w->next)
> && !vectorlike_marked_p (&XWINDOW (w->next)->header))
> emacs_abort ();
>
> And see if Emacs ever aborts?
>
> I just remembered that the old garbage collector does not work the same
> way as the one in my branch, so that bug shouldn't be possible.
With the change
diff --git a/src/alloc.c b/src/alloc.c
index 419c5e558b..4e0dd12729 100644
--- a/src/alloc.c
+++ b/src/alloc.c
@@ -6625,6 +6625,15 @@ mark_window (struct Lisp_Vector *ptr)
mark_vectorlike (&ptr->header);
+#if 1
+ if (!NILP (w->next)
+ && !vectorlike_marked_p (&XWINDOW (w->next)->header))
+ emacs_abort ();
+#else
+ if (!NILP (w->next))
+ mark_object (w->next);
+#endif
+
/* Mark glyph matrices, if any. Marking window
matrices is sufficient because frame matrices
use the same glyph memory. */
I don't get an abort, but the ASAN error again
==67682==ERROR: AddressSanitizer: heap-use-after-free on address 0x000107130d00 at pc 0x0001002a481c bp 0x00016fdcc3c0 sp 0x00016fdcc3b8
READ of size 8 at 0x000107130d00 thread T0
#0 0x1002a4818 in PSEUDOVECTORP lisp.h:1110
#1 0x1002a4888 in SYMBOL_WITH_POS_P lisp.h:1122
#2 0x10025a338 in EQ lisp.h:1342
#3 0x100280eb0 in run_window_change_functions window.c:3964
#4 0x1000f18c4 in redisplay_internal xdisp.c:16600
#5 0x100107bf8 in redisplay xdisp.c:16111
#6 0x10089364c in -[EmacsView layoutSublayersOfLayer:] nsterm.m:8661
#7 0x1900a9624 in CA::Layer::layout_if_needed(CA::Transaction*)+0x224 (QuartzCore:arm64e+0x20624)
#8 0x1901f661c in CA::Context::commit_transaction(CA::Transaction*,
double, double*)+0x1c0 (QuartzCore:arm6
frame #8: 0x0000000100280eb4 emacs`run_window_change_functions at window.c:3964:7
3961 (de-)selected as its frame's or the globally selected
3962 window. */
3963 if (((frame_selected_change
-> 3964 && (EQ (window, old_selected_window)
3965 || EQ (window, selected_window)))
3966 || (frame_selected_window_change
3967 && (EQ (window, FRAME_OLD_SELECTED_WINDOW (f))
(lldb) p window
(Lisp_Object) $18 = 0x00000001071c2935 (struct window *) $23 = 0x00000001071c2930
(lldb) p old_selected_window
(Lisp_Object) $24 = 0x0000000107130d05 (struct Lisp_Vector *) $28 = 0x0000000107130d00
old_selected_window looks strange. It's a global that is not
staticpro'd
\o/
^ permalink raw reply related [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 12:32 ` Gerd Möllmann
@ 2022-10-05 12:38 ` Gerd Möllmann
2022-10-05 12:49 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 12:48 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
1 sibling, 1 reply; 65+ messages in thread
From: Gerd Möllmann @ 2022-10-05 12:38 UTC (permalink / raw)
To: Po Lu; +Cc: Eli Zaretskii, 58042, Alan Third
Gerd Möllmann <gerd.moellmann@gmail.com> writes:
> old_selected_window looks strange. It's a global that is not
> staticpro'd
And with this it works again:
diff --git a/src/window.c b/src/window.c
index 12a212a85a..da80fabe33 100644
--- a/src/window.c
+++ b/src/window.c
@@ -8213,6 +8213,8 @@ init_window_once (void)
minibuf_selected_window = Qnil;
staticpro (&minibuf_selected_window);
+ old_selected_window = Qnil;
+ staticpro (&old_selected_window);
pdumper_do_now_and_after_late_load (init_window_once_for_pdumper);
}
^ permalink raw reply related [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 12:32 ` Gerd Möllmann
2022-10-05 12:38 ` Gerd Möllmann
@ 2022-10-05 12:48 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-06 5:20 ` Gerd Möllmann
1 sibling, 1 reply; 65+ messages in thread
From: Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors @ 2022-10-05 12:48 UTC (permalink / raw)
To: Gerd Möllmann; +Cc: Eli Zaretskii, 58042, Alan Third
Gerd Möllmann <gerd.moellmann@gmail.com> writes:
> I don't get an abort, but the ASAN error again
Interesting.
> ==67682==ERROR: AddressSanitizer: heap-use-after-free on address 0x000107130d00 at pc 0x0001002a481c bp 0x00016fdcc3c0 sp 0x00016fdcc3b8
> READ of size 8 at 0x000107130d00 thread T0
> #0 0x1002a4818 in PSEUDOVECTORP lisp.h:1110
> #1 0x1002a4888 in SYMBOL_WITH_POS_P lisp.h:1122
> #2 0x10025a338 in EQ lisp.h:1342
> #3 0x100280eb0 in run_window_change_functions window.c:3964
> #4 0x1000f18c4 in redisplay_internal xdisp.c:16600
> #5 0x100107bf8 in redisplay xdisp.c:16111
> #6 0x10089364c in -[EmacsView layoutSublayersOfLayer:] nsterm.m:8661
> #7 0x1900a9624 in CA::Layer::layout_if_needed(CA::Transaction*)+0x224 (QuartzCore:arm64e+0x20624)
> #8 0x1901f661c in CA::Context::commit_transaction(CA::Transaction*,
> double, double*)+0x1c0 (QuartzCore:arm6
>
> frame #8: 0x0000000100280eb4 emacs`run_window_change_functions at window.c:3964:7
> 3961 (de-)selected as its frame's or the globally selected
> 3962 window. */
> 3963 if (((frame_selected_change
> -> 3964 && (EQ (window, old_selected_window)
> 3965 || EQ (window, selected_window)))
> 3966 || (frame_selected_window_change
> 3967 && (EQ (window, FRAME_OLD_SELECTED_WINDOW (f))
>
> (lldb) p window
> (Lisp_Object) $18 = 0x00000001071c2935 (struct window *) $23 = 0x00000001071c2930
> (lldb) p old_selected_window
> (Lisp_Object) $24 = 0x0000000107130d05 (struct Lisp_Vector *) $28 = 0x0000000107130d00
>
> old_selected_window looks strange. It's a global that is not
> staticpro'd
Isn't old_selected_window supposed to be kept in sync with
FRAME_OLD_SELECTED_WINDOW in old_selected_frame, with the latter being
removed once it is deleted?
Would someone who knows the window code well please take a look at this?
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 12:38 ` Gerd Möllmann
@ 2022-10-05 12:49 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
0 siblings, 0 replies; 65+ messages in thread
From: Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors @ 2022-10-05 12:49 UTC (permalink / raw)
To: Gerd Möllmann; +Cc: Eli Zaretskii, 58042, Alan Third
Gerd Möllmann <gerd.moellmann@gmail.com> writes:
> And with this it works again:
>
> diff --git a/src/window.c b/src/window.c
> index 12a212a85a..da80fabe33 100644
> --- a/src/window.c
> +++ b/src/window.c
> @@ -8213,6 +8213,8 @@ init_window_once (void)
>
> minibuf_selected_window = Qnil;
> staticpro (&minibuf_selected_window);
> + old_selected_window = Qnil;
> + staticpro (&old_selected_window);
>
> pdumper_do_now_and_after_late_load (init_window_once_for_pdumper);
> }
Right, but please see what I said about old_selected_frame; I think it
is intentionally not staticpro'd.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 10:14 ` Gerd Möllmann
2022-10-05 10:24 ` Gerd Möllmann
@ 2022-10-05 12:59 ` Eli Zaretskii
1 sibling, 0 replies; 65+ messages in thread
From: Eli Zaretskii @ 2022-10-05 12:59 UTC (permalink / raw)
To: Gerd Möllmann; +Cc: alan, 58042
> From: Gerd Möllmann <gerd.moellmann@gmail.com>
> Cc: 58042@debbugs.gnu.org, Alan Third <alan@idiocy.org>
> Date: Wed, 05 Oct 2022 12:14:04 +0200
>
> Eli Zaretskii <eliz@gnu.org> writes:
>
> > So I guess we should do this dance around calls to maybe_quit in
> > regex-emacs.c:
> >
> > specpdl_ref gc_count = inhibit_garbage_collection ();
> > maybe_quit ();
> > unbind_to (gc_count, Qnil);
> >
> > Or maybe even better, do this inside probably_quit (because who knows
> > how many other callers of maybe_quit could be hit by this unexpected
> > GC)?
> >
> > Can you try this?
>
> Isn't the -[EmacsView layoutSublayersOfLayer:] the problem? AFAICT from
> a web search, this is an event handler method that is also called from
> by the framework?
>
> In the olden days, it was a serious error to call into Lisp from an
> event handler. All bets were off when that happened, not only related
> to GC. I believe that hasn't changed much.
>
> That code was introduced by Alan around this time.
>
> 1ba02d85a964e1b2c6a9735cd3decdc524e06dc1
> Author: Alan Third <alan@idiocy.org>
> AuthorDate: Sat Jun 12 10:25:47 2021 +0100
> Commit: Alan Third <alan@idiocy.org>
> CommitDate: Sat Jul 31 11:13:05 2021 +0100
>
> Maybe Allen can say something, I've CC'd him.
AFAIR, this was the best way Alan could fix display problems on
macOS. He tried several other approaches, and all of them were worse.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 10:45 ` Gerd Möllmann
2022-10-05 11:10 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
@ 2022-10-05 13:13 ` Eli Zaretskii
2022-10-05 13:24 ` Gerd Möllmann
1 sibling, 1 reply; 65+ messages in thread
From: Eli Zaretskii @ 2022-10-05 13:13 UTC (permalink / raw)
To: Gerd Möllmann; +Cc: luangruo, alan, 58042
> From: Gerd Möllmann <gerd.moellmann@gmail.com>
> Cc: Po Lu <luangruo@yahoo.com>, Alan Third <alan@idiocy.org>,
> 58042@debbugs.gnu.org
> Date: Wed, 05 Oct 2022 12:45:04 +0200
>
> And an update to the second ASAN error that I could actually reproduce
> by starting Emacs on my branch:
>
> ==64010==ERROR: AddressSanitizer: heap-use-after-free on address 0x000107130d00 at pc 0x0001002a48d8 bp 0x00016fdcaa80 sp 0x00016fdcaa78
> READ of size 8 at 0x000107130d00 thread T0
> #0 0x1002a48d4 in PSEUDOVECTORP lisp.h:1110
> #1 0x1002a4944 in SYMBOL_WITH_POS_P lisp.h:1122
> #2 0x10025a3f4 in EQ lisp.h:1342
> #3 0x100280f6c in run_window_change_functions window.c:3964
> #4 0x1000f1980 in redisplay_internal xdisp.c:16600
> #5 0x100107cb4 in redisplay xdisp.c:16111
> #6 0x10089364c in -[EmacsView layoutSublayersOfLayer:] nsterm.m:8661
> #7 0x1900a9624 in CA::Layer::layout_if_needed(CA::Transaction*)+0x224 (QuartzCore:arm64e+0x20624)
> #8 0x1901f661c in CA::Context::commit_transaction(CA::Transaction*, double, double*)+0x1c0 (QuartzCore:arm64e+0x16d61c)
> #9 0x19008b4c8 in CA::Transaction::commit()+0x2bc (QuartzCore:arm64e+0x24c8)
> #10 0x18bee1698 in __62+[CATransaction(NSCATransaction) NS_setFlushesWithDisplayLink]_block_invoke+0x12c (AppKit:arm64e+0x1ac698)
> #11 0x18c646754 in ___NSRunLoopObserverCreateWithHandler_block_invoke+0x3c (AppKit:arm64e+0x911754)
> #12 0x1892101a0 in __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__+0x20 (CoreFoundation:arm64e+0x841a0)
> #13 0x18920fff0 in __CFRunLoopDoObservers+0x24c (CoreFoundation:arm64e+0x83ff0)
> #14 0x18920f524 in __CFRunLoopRun+0x300 (CoreFoundation:arm64e+0x83524)
> #15 0x18920ea80 in CFRunLoopRunSpecific+0x254 (CoreFoundation:arm64e+0x82a80)
> #16 0x191e4e334 in RunCurrentEventLoopInMode+0x120 (HIToolbox:arm64e+0x32334)
> #17 0x191e4dfc0 in ReceiveNextEventCommon+0x140 (HIToolbox:arm64e+0x31fc0)
> #18 0x191e4de64 in _BlockUntilNextEventMatchingListInModeWithFilter+0x44 (HIToolbox:arm64e+0x31e64)
> #19 0x18bd76518 in _DPSNextEvent+0x358 (AppKit:arm64e+0x41518)
> #20 0x18bd74e10 in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:]+0x52c (AppKit:arm64e+0x3fe10)
> #21 0x18bd66fdc in -[NSApplication run]+0x250 (AppKit:arm64e+0x31fdc)
> #22 0x100870bb0 in -[EmacsApp run] nsterm.m:5799
> #23 0x1008c7b0c in ns_read_socket_1 nsterm.m:4679
> #24 0x1008ae530 in ns_read_socket nsterm.m:4697
> #25 0x100437168 in gobble_input keyboard.c:7379
> #26 0x1004389d0 in handle_async_input keyboard.c:7610
> #27 0x1004389b0 in process_pending_signals keyboard.c:7624
> #28 0x100438acc in unblock_input_to keyboard.c:7639
> #29 0x100432cac in unblock_input keyboard.c:7658
> #30 0x1005ba024 in garbage_collect alloc.c:6256
> #31 0x1005b950c in maybe_garbage_collect alloc.c:6090
> #32 0x10064f6a8 in maybe_gc lisp.h:5622
> #33 0x10063fcfc in eval_sub eval.c:2388
> #34 0x100640838 in eval_sub eval.c:2449
> #35 0x10064234c in Fprogn eval.c:436
> #36 0x100654eb8 in funcall_lambda eval.c:3218
> #37 0x1006532c4 in funcall_general eval.c:2941
> #38 0x100647fcc in Ffuncall eval.c:2979
> #39 0x100651ca8 in Fapply eval.c:2650
> #40 0x10063ead8 in apply1 eval.c:2866
> #41 0x1006484bc in Fmacroexpand eval.c:1149
> #42 0x10065394c in funcall_subr eval.c:3019
> #43 0x10072e004 in exec_byte_code bytecode.c:809
> #44 0x10065c16c in fetch_and_exec_byte_code eval.c:3066
> #45 0x100654994 in funcall_lambda eval.c:3138
> #46 0x10065316c in funcall_general eval.c:2929
> #47 0x100647fcc in Ffuncall eval.c:2979
> #48 0x1006fcd80 in call2 lisp.h:3302
> #49 0x1006f4ecc in readevalloop_eager_expand_eval lread.c:2151
> #50 0x1006e0b0c in readevalloop lread.c:2343
> #51 0x1006e236c in Feval_buffer lread.c:2416
> #52 0x100653d24 in funcall_subr eval.c:3025
> #53 0x10072e004 in exec_byte_code bytecode.c:809
> #54 0x10065c16c in fetch_and_exec_byte_code eval.c:3066
> #55 0x100654994 in funcall_lambda eval.c:3138
> #56 0x10065316c in funcall_general eval.c:2929
> #57 0x100647fcc in Ffuncall eval.c:2979
> #58 0x1006ddfe8 in call4 lisp.h:3317
> #59 0x1006d9058 in Fload lread.c:1483
> #60 0x1006e1158 in save_match_data_load lread.c:1636
> #61 0x10064e9c8 in load_with_autoload_queue eval.c:2271
> #62 0x10067cb40 in Frequire fns.c:3308
> #63 0x100653a54 in funcall_subr eval.c:3021
> #64 0x10072e004 in exec_byte_code bytecode.c:809
> #65 0x10065c16c in fetch_and_exec_byte_code eval.c:3066
> #66 0x100654994 in funcall_lambda eval.c:3138
> #67 0x10065316c in funcall_general eval.c:2929
> #68 0x100647fcc in Ffuncall eval.c:2979
> #69 0x100651ca8 in Fapply eval.c:2650
> #70 0x100654414 in funcall_subr eval.c:3044
> #71 0x10072e004 in exec_byte_code bytecode.c:809
> #72 0x10065c16c in fetch_and_exec_byte_code eval.c:3066
> #73 0x100654994 in funcall_lambda eval.c:3138
> #74 0x100650834 in apply_lambda eval.c:3088
> #75 0x100641734 in eval_sub eval.c:2529
> #76 0x1006f5394 in readevalloop_eager_expand_eval lread.c:2160
> #77 0x1006e0b0c in readevalloop lread.c:2343
> #78 0x1006e236c in Feval_buffer lread.c:2416
> #79 0x100653d24 in funcall_subr eval.c:3025
> #80 0x10072e004 in exec_byte_code bytecode.c:809
> #81 0x10065c16c in fetch_and_exec_byte_code eval.c:3066
> #82 0x100654994 in funcall_lambda eval.c:3138
> #83 0x10065316c in funcall_general eval.c:2929
> #84 0x100647fcc in Ffuncall eval.c:2979
> #85 0x1006ddfe8 in call4 lisp.h:3317
> #86 0x1006d9058 in Fload lread.c:1483
> #87 0x1006410e8 in eval_sub eval.c:2496
> #88 0x10064234c in Fprogn eval.c:436
> #89 0x100646c90 in Flet eval.c:1023
> #90 0x1006403e0 in eval_sub eval.c:2435
> #91 0x10064234c in Fprogn eval.c:436
> #92 0x100654eb8 in funcall_lambda eval.c:3218
> #93 0x100650834 in apply_lambda eval.c:3088
> #94 0x100641c68 in eval_sub eval.c:2572
> #95 0x1006f5394 in readevalloop_eager_expand_eval lread.c:2160
> #96 0x1006e0b0c in readevalloop lread.c:2343
> #97 0x1006e236c in Feval_buffer lread.c:2416
> #98 0x100653d24 in funcall_subr eval.c:3025
> #99 0x10072e004 in exec_byte_code bytecode.c:809
> #100 0x10065c16c in fetch_and_exec_byte_code eval.c:3066
> #101 0x100654994 in funcall_lambda eval.c:3138
> #102 0x10065316c in funcall_general eval.c:2929
> #103 0x100647fcc in Ffuncall eval.c:2979
> #104 0x1006ddfe8 in call4 lisp.h:3317
> #105 0x1006d9058 in Fload lread.c:1483
> #106 0x100653d24 in funcall_subr eval.c:3025
> #107 0x10072e004 in exec_byte_code bytecode.c:809
> #108 0x10065c16c in fetch_and_exec_byte_code eval.c:3066
> #109 0x100654994 in funcall_lambda eval.c:3138
> #110 0x100650834 in apply_lambda eval.c:3088
> #111 0x100641734 in eval_sub eval.c:2529
> #112 0x10064efb0 in Feval eval.c:2345
> #113 0x100451650 in top_level_2 keyboard.c:1141
> #114 0x10064a318 in internal_condition_case eval.c:1471
> #115 0x100451564 in top_level_1 keyboard.c:1149
> #116 0x100648aa4 in internal_catch eval.c:1194
> #117 0x100416f04 in command_loop keyboard.c:1109
> #118 0x100416994 in recursive_edit_1 keyboard.c:719
> #119 0x100417950 in Frecursive_edit keyboard.c:802
> #120 0x10040fb00 in main emacs.c:2515
> #121 0x101549088 in start+0x204 (dyld:arm64e+0x5088)
>
> That is redisplay during garbage_collect!
>
> The change to probably_quit didn't help. Commenting out the call to
> redisplay in the layout stuff did.
I don't think I understand what this diagnostics says. The backtrace
tells us that Emacs performed GC, then called unblock_input, which
called gobble_input, which on NS triggers redisplay. So far I see no
problem; do you?
Then redisplay called run_window_change_functions, which attempted to
compare some window with old_selected_window, and one of these two
(which one?) was found to be in freed heap memory? Why? because one
of these two windows is not a live window anymore? So we should
sprinkle more WINDOW_LIVE_P tests in that loop in
run_window_change_functions?
This has nothing per se to do with GC and with redisplay being run
from the unblock_input, this can happen regardless of these.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 13:13 ` Eli Zaretskii
@ 2022-10-05 13:24 ` Gerd Möllmann
0 siblings, 0 replies; 65+ messages in thread
From: Gerd Möllmann @ 2022-10-05 13:24 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: luangruo, alan, 58042
On 22-10-05 15:13 , Eli Zaretskii wrote:
>>>
>> That is redisplay during garbage_collect!
>>
>> The change to probably_quit didn't help. Commenting out the call to
>> redisplay in the layout stuff did.
>
> This has nothing per se to do with GC and with redisplay being run
> from the unblock_input, this can happen regardless of these.
Right, this is a different problem. See later in the thread(s).
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 11:10 ` Gerd Möllmann
2022-10-05 11:15 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
@ 2022-10-05 13:27 ` Eli Zaretskii
2022-10-05 13:31 ` Gerd Möllmann
1 sibling, 1 reply; 65+ messages in thread
From: Eli Zaretskii @ 2022-10-05 13:27 UTC (permalink / raw)
To: Gerd Möllmann; +Cc: luangruo, alan, 58042
> From: Gerd Möllmann <gerd.moellmann@gmail.com>
> Cc: Eli Zaretskii <eliz@gnu.org>, 58042@debbugs.gnu.org, Alan Third
> <alan@idiocy.org>
> Date: Wed, 05 Oct 2022 13:10:03 +0200
>
> Can somone please help me understand how this works?
>
> Let's say we are in memq called for list L. Fmemq uses FOR_EACH_TAIL,
> which can call maybe_quit, which executes arbitrary Lisp, which can
> modify L.
"Arbitrary Lisp" being redisplay that calls various hooks, like
window-configuration-change-hook etc.? IOW, this is a macOS only
thing?
Perhaps on macOS probably_quit should bind inhibit_redisplay non-zero?
I see no particular reason to trigger redisplay from maybe_quit.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 13:27 ` Eli Zaretskii
@ 2022-10-05 13:31 ` Gerd Möllmann
2022-10-05 13:55 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
0 siblings, 1 reply; 65+ messages in thread
From: Gerd Möllmann @ 2022-10-05 13:31 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: luangruo, alan, 58042
On 22-10-05 15:27 , Eli Zaretskii wrote:
>> From: Gerd Möllmann <gerd.moellmann@gmail.com>
>> Cc: Eli Zaretskii <eliz@gnu.org>, 58042@debbugs.gnu.org, Alan Third
>> <alan@idiocy.org>
>> Date: Wed, 05 Oct 2022 13:10:03 +0200
>>
>> Can somone please help me understand how this works?
>>
>> Let's say we are in memq called for list L. Fmemq uses FOR_EACH_TAIL,
>> which can call maybe_quit, which executes arbitrary Lisp, which can
>> modify L.
>
> "Arbitrary Lisp" being redisplay that calls various hooks, like
> window-configuration-change-hook etc.? IOW, this is a macOS only
> thing?
I don't know. What Po Lu said sounded to me like it isn't specific to
macOS (safe_call in event handlers, IIRC).
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 11:15 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 11:37 ` Gerd Möllmann
@ 2022-10-05 13:37 ` Eli Zaretskii
2022-10-05 13:52 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
1 sibling, 1 reply; 65+ messages in thread
From: Eli Zaretskii @ 2022-10-05 13:37 UTC (permalink / raw)
To: Po Lu; +Cc: gerd.moellmann, alan, 58042
> From: Po Lu <luangruo@yahoo.com>
> Cc: Eli Zaretskii <eliz@gnu.org>, 58042@debbugs.gnu.org, Alan Third
> <alan@idiocy.org>
> Date: Wed, 05 Oct 2022 19:15:22 +0800
>
> Gerd Möllmann <gerd.moellmann@gmail.com> writes:
>
> > Can somone please help me understand how this works?
> >
> > Let's say we are in memq called for list L. Fmemq uses FOR_EACH_TAIL,
> > which can call maybe_quit, which executes arbitrary Lisp, which can
> > modify L. And probably similarly in another 100 places.
> >
> > I don't get it.
>
> AFAIU if it is particularly dangerous to modify L there, then input
> should be blocked around Fmemq.
How do you know whether it's "particularly dangerous"?
We call maybe_quit in many places, basically anywhere where we have
potentially long loops. It isn't just Fmemq. So if we want to
prevent maybe_quit from indirectly calling arbitrary Lisp, we'd need
to block_input inside probably_quit. Which means
process_pending_signals will not call the read-socket hook and will
not gobble input. That's bad, I think.
And note that this is only problematic on macOS (AFAIU), because there
the read-socket hook can trigger redisplay.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 11:10 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 11:15 ` Gerd Möllmann
@ 2022-10-05 13:39 ` Eli Zaretskii
1 sibling, 0 replies; 65+ messages in thread
From: Eli Zaretskii @ 2022-10-05 13:39 UTC (permalink / raw)
To: Po Lu; +Cc: gerd.moellmann, alan, 58042
> From: Po Lu <luangruo@yahoo.com>
> Cc: Eli Zaretskii <eliz@gnu.org>, Alan Third <alan@idiocy.org>,
> 58042@debbugs.gnu.org
> Date: Wed, 05 Oct 2022 19:10:02 +0800
>
> I'm going to guess that window_sub_list is returning a window that was
> not marked during GC.
Why wasn't it marked?
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 11:23 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 11:35 ` Gerd Möllmann
2022-10-05 12:02 ` Gerd Möllmann
@ 2022-10-05 13:40 ` Eli Zaretskii
2022-10-05 13:53 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2 siblings, 1 reply; 65+ messages in thread
From: Eli Zaretskii @ 2022-10-05 13:40 UTC (permalink / raw)
To: Po Lu; +Cc: gerd.moellmann, alan, 58042
> From: Po Lu <luangruo@yahoo.com>
> Cc: Eli Zaretskii <eliz@gnu.org>, Alan Third <alan@idiocy.org>,
> 58042@debbugs.gnu.org
> Date: Wed, 05 Oct 2022 19:23:53 +0800
>
> >> + if (w->next)
> >> + mark_window (w->next);
> >> +
> >> /* Filter out killed buffers from both buffer lists
> >> in attempt to help GC to reclaim killed buffers faster.
> >> We can do it elsewhere for live windows, but this is the
> >
> > Indeed, that seems to work!
>
> Right. I've not had the time to investigate why unmarked windows remain
> in the window tree
Maybe those windows were deleted?
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 13:37 ` Eli Zaretskii
@ 2022-10-05 13:52 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 14:09 ` Eli Zaretskii
0 siblings, 1 reply; 65+ messages in thread
From: Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors @ 2022-10-05 13:52 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: gerd.moellmann, alan, 58042
Eli Zaretskii <eliz@gnu.org> writes:
> We call maybe_quit in many places, basically anywhere where we have
> potentially long loops. It isn't just Fmemq. So if we want to
> prevent maybe_quit from indirectly calling arbitrary Lisp, we'd need
> to block_input inside probably_quit. Which means
> process_pending_signals will not call the read-socket hook and will
> not gobble input. That's bad, I think.
>
> And note that this is only problematic on macOS (AFAIU), because there
> the read-socket hook can trigger redisplay.
There are many different ways to trigger redisplay from the read-socket
hook in the Haiku port as well, and I haven't seen any problems there.
Besides, any call to automatic GC today can run arbitrary Lisp through
finalizer functions, and that includes redisplay. So unless the
read_socket_hook does not cons at all, there is no way to prevent
probably_quit from running Lisp code.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 13:40 ` Eli Zaretskii
@ 2022-10-05 13:53 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 14:10 ` Eli Zaretskii
0 siblings, 1 reply; 65+ messages in thread
From: Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors @ 2022-10-05 13:53 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: gerd.moellmann, alan, 58042
Eli Zaretskii <eliz@gnu.org> writes:
> Maybe those windows were deleted?
No, it turns out to be a different problem, as Gerd found out
down-thread.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 13:31 ` Gerd Möllmann
@ 2022-10-05 13:55 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
0 siblings, 0 replies; 65+ messages in thread
From: Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors @ 2022-10-05 13:55 UTC (permalink / raw)
To: Gerd Möllmann; +Cc: Eli Zaretskii, 58042, alan
Gerd Möllmann <gerd.moellmann@gmail.com> writes:
> I don't know. What Po Lu said sounded to me like it isn't specific to
> macOS (safe_call in event handlers, IIRC).
Yes, and there are also finalizer functions called by automatic GC.
So unless read_socket_hook does not cons at all there is no way to stop
it from running random Lisp.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 13:52 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
@ 2022-10-05 14:09 ` Eli Zaretskii
2022-10-05 14:24 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
0 siblings, 1 reply; 65+ messages in thread
From: Eli Zaretskii @ 2022-10-05 14:09 UTC (permalink / raw)
To: Po Lu; +Cc: gerd.moellmann, alan, 58042
> From: Po Lu <luangruo@yahoo.com>
> Cc: gerd.moellmann@gmail.com, 58042@debbugs.gnu.org, alan@idiocy.org
> Date: Wed, 05 Oct 2022 21:52:52 +0800
>
> Eli Zaretskii <eliz@gnu.org> writes:
>
> > We call maybe_quit in many places, basically anywhere where we have
> > potentially long loops. It isn't just Fmemq. So if we want to
> > prevent maybe_quit from indirectly calling arbitrary Lisp, we'd need
> > to block_input inside probably_quit. Which means
> > process_pending_signals will not call the read-socket hook and will
> > not gobble input. That's bad, I think.
> >
> > And note that this is only problematic on macOS (AFAIU), because there
> > the read-socket hook can trigger redisplay.
>
> There are many different ways to trigger redisplay from the read-socket
> hook in the Haiku port as well, and I haven't seen any problems there.
>
> Besides, any call to automatic GC today can run arbitrary Lisp through
> finalizer functions, and that includes redisplay. So unless the
> read_socket_hook does not cons at all, there is no way to prevent
> probably_quit from running Lisp code.
That we have other loopholes doesn't mean we shouldn't be concerned
with this one. IMO, we should plug all those loopholes one by one.
Finalizers are very rarely used (not at all in core, I believe), so
it's a small wonder we didn't see bug reports. As for Haiku, how man
y active users of it exist, and how "crazy" are the hooks they define
for redisplay to call? If those hooks remain nil, nothing bad will
ever happen.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 13:53 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
@ 2022-10-05 14:10 ` Eli Zaretskii
0 siblings, 0 replies; 65+ messages in thread
From: Eli Zaretskii @ 2022-10-05 14:10 UTC (permalink / raw)
To: Po Lu; +Cc: gerd.moellmann, alan, 58042
> From: Po Lu <luangruo@yahoo.com>
> Cc: gerd.moellmann@gmail.com, alan@idiocy.org, 58042@debbugs.gnu.org
> Date: Wed, 05 Oct 2022 21:53:26 +0800
>
> Eli Zaretskii <eliz@gnu.org> writes:
>
> > Maybe those windows were deleted?
>
> No, it turns out to be a different problem, as Gerd found out
> down-thread.
Are you sure? GC can only remove dead windows, no?
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 14:09 ` Eli Zaretskii
@ 2022-10-05 14:24 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
0 siblings, 0 replies; 65+ messages in thread
From: Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors @ 2022-10-05 14:24 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: gerd.moellmann, alan, 58042
On October 5, 2022 10:09:09 PM GMT+08:00, Eli Zaretskii <eliz@gnu.org> wrote:
>That we have other loopholes doesn't mean we shouldn't be concerned
>with this one. IMO, we should plug all those loopholes one by one.
Judging by how long the NS relayout code has been installed for, and how it has not actually caused problems in Fmemq, I'm inclined to wait for someone to complain about memq not working before we remove it. I tried several months ago, and removing that call to redisplay resulted in the system refusing to resize the NS window.
The call to redisplay in the drag and drop code should not cause any problems, as that hook cannot be called from ns_read_socket.
Thanks.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 12:48 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
@ 2022-10-06 5:20 ` Gerd Möllmann
0 siblings, 0 replies; 65+ messages in thread
From: Gerd Möllmann @ 2022-10-06 5:20 UTC (permalink / raw)
To: Po Lu; +Cc: Eli Zaretskii, 58042, Alan Third
Po Lu <luangruo@yahoo.com> writes:
> Gerd Möllmann <gerd.moellmann@gmail.com> writes:
>
>> I don't get an abort, but the ASAN error again
>
> Interesting.
>
>> ==67682==ERROR: AddressSanitizer: heap-use-after-free on address 0x000107130d00 at pc 0x0001002a481c bp 0x00016fdcc3c0 sp 0x00016fdcc3b8
>> READ of size 8 at 0x000107130d00 thread T0
>> #0 0x1002a4818 in PSEUDOVECTORP lisp.h:1110
>> #1 0x1002a4888 in SYMBOL_WITH_POS_P lisp.h:1122
>> #2 0x10025a338 in EQ lisp.h:1342
>> #3 0x100280eb0 in run_window_change_functions window.c:3964
>> #4 0x1000f18c4 in redisplay_internal xdisp.c:16600
>> #5 0x100107bf8 in redisplay xdisp.c:16111
>> #6 0x10089364c in -[EmacsView layoutSublayersOfLayer:] nsterm.m:8661
>> #7 0x1900a9624 in CA::Layer::layout_if_needed(CA::Transaction*)+0x224 (QuartzCore:arm64e+0x20624)
>> #8 0x1901f661c in CA::Context::commit_transaction(CA::Transaction*,
>> double, double*)+0x1c0 (QuartzCore:arm6
>>
>> frame #8: 0x0000000100280eb4 emacs`run_window_change_functions at window.c:3964:7
>> 3961 (de-)selected as its frame's or the globally selected
>> 3962 window. */
>> 3963 if (((frame_selected_change
>> -> 3964 && (EQ (window, old_selected_window)
>> 3965 || EQ (window, selected_window)))
>> 3966 || (frame_selected_window_change
>> 3967 && (EQ (window, FRAME_OLD_SELECTED_WINDOW (f))
>>
>> (lldb) p window
>> (Lisp_Object) $18 = 0x00000001071c2935 (struct window *) $23 = 0x00000001071c2930
>> (lldb) p old_selected_window
>> (Lisp_Object) $24 = 0x0000000107130d05 (struct Lisp_Vector *) $28 = 0x0000000107130d00
>>
>> old_selected_window looks strange. It's a global that is not
>> staticpro'd
>
> Isn't old_selected_window supposed to be kept in sync with
> FRAME_OLD_SELECTED_WINDOW in old_selected_frame, with the latter being
> removed once it is deleted?
>
> Would someone who knows the window code well please take a look at this?
I've submitted bug#58327 for this problem, so that it won't be
forgotten. (I'm sure I will forget it at some point, because I have
added the staticpro in my local branch.)
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-09-24 13:45 bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal Gerd Möllmann
2022-09-24 14:17 ` Gerd Möllmann
2022-10-04 14:33 ` Gerd Möllmann
@ 2022-10-06 5:35 ` Gerd Möllmann
2022-10-06 6:59 ` Eli Zaretskii
2 siblings, 1 reply; 65+ messages in thread
From: Gerd Möllmann @ 2022-10-06 5:35 UTC (permalink / raw)
To: 58042
Can we come to a decision about what to do with probably_quit, based
what we know now? The threads under this bug are a bit deep and
complicated, so I'd like to make this a bit more visible.
I think the problem has been analyized to be:
1. The re_matcher uses char* pointer P into data of string S.
2. The re_matcher uses maybe_quit
3. maybe_quit can call garbage_collect
4. garbage_collect can call Lisp (finalizers, redisplay)
(4a. That Lisp can again garbage_collect)
5. One of the GCs can relocate the string data of S in step 1.
6. P is then invalid.
Possible solution:
Inhibit GC in probably_quit, so that P remains valid.
Q: Should we do that? And if so, when?
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-06 5:35 ` Gerd Möllmann
@ 2022-10-06 6:59 ` Eli Zaretskii
2022-10-06 7:21 ` Gerd Möllmann
0 siblings, 1 reply; 65+ messages in thread
From: Eli Zaretskii @ 2022-10-06 6:59 UTC (permalink / raw)
To: Gerd Möllmann; +Cc: 58042
> From: Gerd Möllmann <gerd.moellmann@gmail.com>
> Date: Thu, 06 Oct 2022 07:35:26 +0200
>
> Can we come to a decision about what to do with probably_quit, based
> what we know now? The threads under this bug are a bit deep and
> complicated, so I'd like to make this a bit more visible.
>
> I think the problem has been analyized to be:
>
> 1. The re_matcher uses char* pointer P into data of string S.
> 2. The re_matcher uses maybe_quit
> 3. maybe_quit can call garbage_collect
> 4. garbage_collect can call Lisp (finalizers, redisplay)
> (4a. That Lisp can again garbage_collect)
> 5. One of the GCs can relocate the string data of S in step 1.
> 6. P is then invalid.
>
> Possible solution:
>
> Inhibit GC in probably_quit, so that P remains valid.
>
> Q: Should we do that?
IMO, yes.
> And if so, when?
"Now"?
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-06 6:59 ` Eli Zaretskii
@ 2022-10-06 7:21 ` Gerd Möllmann
2022-10-06 8:08 ` Eli Zaretskii
0 siblings, 1 reply; 65+ messages in thread
From: Gerd Möllmann @ 2022-10-06 7:21 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: 58042
On 22-10-06 8:59 , Eli Zaretskii wrote:
>>>> Q: Should we do that?
>
> IMO, yes. >
>> And if so, when?
>
> "Now"?
Done in master. Thanks.
Not sure what to do with redisplay, or Lisp in general being called from
event handlers.
I tend to close this bug, and submit a new one, ATM. Maybe we should at
least think a bit more about what the consequences of that are. Or
maybe not, because it seems to "work well enough", and I wouldn't know
what to do about this anyway.
Any preferences?
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-06 7:21 ` Gerd Möllmann
@ 2022-10-06 8:08 ` Eli Zaretskii
2022-10-06 8:23 ` Gerd Möllmann
0 siblings, 1 reply; 65+ messages in thread
From: Eli Zaretskii @ 2022-10-06 8:08 UTC (permalink / raw)
To: Gerd Möllmann; +Cc: 58042
> Date: Thu, 6 Oct 2022 09:21:49 +0200
> Cc: 58042@debbugs.gnu.org
> From: Gerd Möllmann <gerd.moellmann@gmail.com>
>
> Not sure what to do with redisplay, or Lisp in general being called from
> event handlers.
I think the conclusion was that block_input is the solution, and
should be used where necessary.
> I tend to close this bug, and submit a new one, ATM. Maybe we should at
> least think a bit more about what the consequences of that are. Or
> maybe not, because it seems to "work well enough", and I wouldn't know
> what to do about this anyway.
>
> Any preferences?
A new bug or maybe even nothing. Because we don't have any ideas for
how to solve such a bug in general.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-06 8:08 ` Eli Zaretskii
@ 2022-10-06 8:23 ` Gerd Möllmann
0 siblings, 0 replies; 65+ messages in thread
From: Gerd Möllmann @ 2022-10-06 8:23 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: 58042
Eli Zaretskii <eliz@gnu.org> writes:
> A new bug or maybe even nothing. Because we don't have any ideas for
> how to solve such a bug in general.
Right. I'll close this bug then.
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2022-10-05 10:43 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 10:49 ` Gerd Möllmann
@ 2023-05-08 14:01 ` Stefan Monnier via Bug reports for GNU Emacs, the Swiss army knife of text editors
2023-05-09 1:04 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
1 sibling, 1 reply; 65+ messages in thread
From: Stefan Monnier via Bug reports for GNU Emacs, the Swiss army knife of text editors @ 2023-05-08 14:01 UTC (permalink / raw)
To: Po Lu; +Cc: Gerd Möllmann, Eli Zaretskii, 58042, Alan Third
>>> Isn't the -[EmacsView layoutSublayersOfLayer:] the problem? AFAICT from
>>> a web search, this is an event handler method that is also called from
>>> by the framework?
>>>
>>> In the olden days, it was a serious error to call into Lisp from an
>>> event handler. All bets were off when that happened, not only related
>>> to GC. I believe that hasn't changed much.
>
> Today, event handling code calls Lisp all the time (through safe_call
> etc.) That happens in handle_one_xevent, ns_select, et cetera.
Really?
> It shouldn't affect GC at all because input is blocked for the entire
> duration of each GC, except for when finalizers are run after unmarked
> objects are sweeped.
The problem was not if it's run from within the GC, the problem was what
this code does when *it* runs the GC (or other state-changing functions).
[ And indeed, the fix Gerd installed was to prevent GC while running
pending_signals. But I suspect this is not sufficient because there
are other forms of global state that can get messed up. ]
In bug#62732 we have a related problem when code run from `maybe_quit`
(an atimer in that case) from the regexp engine, and that atimer
itself performs a regexp-operation, which messes up the outer regexp
engine invocation because the regexp engine is still not re-entrant (in
that bug, the problem is the `gl_state` global variable).
Stefan
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2023-05-08 14:01 ` Stefan Monnier via Bug reports for GNU Emacs, the Swiss army knife of text editors
@ 2023-05-09 1:04 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2023-05-09 2:25 ` Stefan Monnier via Bug reports for GNU Emacs, the Swiss army knife of text editors
2023-05-09 5:30 ` Eli Zaretskii
0 siblings, 2 replies; 65+ messages in thread
From: Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors @ 2023-05-09 1:04 UTC (permalink / raw)
To: Stefan Monnier; +Cc: Gerd Möllmann, Eli Zaretskii, 58042, Alan Third
Stefan Monnier <monnier@iro.umontreal.ca> writes:
> Really?
Yes.
> The problem was not if it's run from within the GC, the problem was what
> this code does when *it* runs the GC (or other state-changing functions).
> [ And indeed, the fix Gerd installed was to prevent GC while running
> pending_signals. But I suspect this is not sufficient because there
> are other forms of global state that can get messed up. ]
>
> In bug#62732 we have a related problem when code run from `maybe_quit`
> (an atimer in that case) from the regexp engine, and that atimer
> itself performs a regexp-operation, which messes up the outer regexp
> engine invocation because the regexp engine is still not re-entrant (in
> that bug, the problem is the `gl_state` global variable).
bug#62732? That's:
29.0.60; uniquify-trailing-separator-p affects any buffer whose name
matches a dir in CWD
I don't see how it's related to reentrant use of the regexp engine.
BTW, which atimer is it?
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2023-05-09 1:04 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
@ 2023-05-09 2:25 ` Stefan Monnier via Bug reports for GNU Emacs, the Swiss army knife of text editors
2023-05-09 5:30 ` Eli Zaretskii
1 sibling, 0 replies; 65+ messages in thread
From: Stefan Monnier via Bug reports for GNU Emacs, the Swiss army knife of text editors @ 2023-05-09 2:25 UTC (permalink / raw)
To: Po Lu; +Cc: Gerd Möllmann, Eli Zaretskii, 58042, Alan Third
>> Really?
> Yes.
Damn! I thought at least `handle_one_xevent` was "ELisp-clean".
>> In bug#62732 we have a related problem when code run from `maybe_quit`
>> (an atimer in that case) from the regexp engine, and that atimer
>> itself performs a regexp-operation, which messes up the outer regexp
>> engine invocation because the regexp engine is still not re-entrant (in
>> that bug, the problem is the `gl_state` global variable).
>
> bug#62732? That's:
Hmm... not sure how I ended up writing this. I meant bug#63253
Sorry 'bout that.
> I don't see how it's related to reentrant use of the regexp engine.
> BTW, which atimer is it?
The atimer for `with-delayed-message`.
Stefan
^ permalink raw reply [flat|nested] 65+ messages in thread
* bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal
2023-05-09 1:04 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2023-05-09 2:25 ` Stefan Monnier via Bug reports for GNU Emacs, the Swiss army knife of text editors
@ 2023-05-09 5:30 ` Eli Zaretskii
1 sibling, 0 replies; 65+ messages in thread
From: Eli Zaretskii @ 2023-05-09 5:30 UTC (permalink / raw)
To: Po Lu; +Cc: gerd.moellmann, alan, 58042, monnier
> From: Po Lu <luangruo@yahoo.com>
> Cc: Gerd Möllmann <gerd.moellmann@gmail.com>, Eli
> Zaretskii <eliz@gnu.org>,
> 58042@debbugs.gnu.org, Alan Third <alan@idiocy.org>
> Date: Tue, 09 May 2023 09:04:03 +0800
>
> Stefan Monnier <monnier@iro.umontreal.ca> writes:
>
> > Really?
>
> Yes.
>
> > The problem was not if it's run from within the GC, the problem was what
> > this code does when *it* runs the GC (or other state-changing functions).
> > [ And indeed, the fix Gerd installed was to prevent GC while running
> > pending_signals. But I suspect this is not sufficient because there
> > are other forms of global state that can get messed up. ]
> >
> > In bug#62732 we have a related problem when code run from `maybe_quit`
> > (an atimer in that case) from the regexp engine, and that atimer
> > itself performs a regexp-operation, which messes up the outer regexp
> > engine invocation because the regexp engine is still not re-entrant (in
> > that bug, the problem is the `gl_state` global variable).
>
> bug#62732?
He meant bug#63253, I think.
^ permalink raw reply [flat|nested] 65+ messages in thread
end of thread, other threads:[~2023-05-09 5:30 UTC | newest]
Thread overview: 65+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-24 13:45 bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal Gerd Möllmann
2022-09-24 14:17 ` Gerd Möllmann
2022-09-24 14:48 ` Gerd Möllmann
2022-09-24 14:56 ` Eli Zaretskii
2022-09-24 15:08 ` Gerd Möllmann
2022-09-24 15:24 ` Eli Zaretskii
2022-09-25 5:50 ` Gerd Möllmann
2022-09-25 6:32 ` Eli Zaretskii
2022-09-25 7:06 ` Gerd Möllmann
2022-09-25 8:08 ` Eli Zaretskii
2022-09-25 8:28 ` Gerd Möllmann
2022-09-25 8:43 ` Eli Zaretskii
2022-09-26 5:13 ` Gerd Möllmann
2022-10-04 14:33 ` Gerd Möllmann
2022-10-04 16:35 ` Eli Zaretskii
2022-10-05 4:37 ` Gerd Möllmann
2022-10-05 6:16 ` Eli Zaretskii
2022-10-05 6:58 ` Gerd Möllmann
2022-10-05 7:22 ` Eli Zaretskii
2022-10-05 7:34 ` Gerd Möllmann
2022-10-05 9:00 ` Gerd Möllmann
2022-10-05 9:23 ` Eli Zaretskii
2022-10-05 10:14 ` Gerd Möllmann
2022-10-05 10:24 ` Gerd Möllmann
2022-10-05 10:43 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 10:49 ` Gerd Möllmann
2022-10-05 11:10 ` Gerd Möllmann
2022-10-05 11:15 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 11:37 ` Gerd Möllmann
2022-10-05 13:37 ` Eli Zaretskii
2022-10-05 13:52 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 14:09 ` Eli Zaretskii
2022-10-05 14:24 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 13:27 ` Eli Zaretskii
2022-10-05 13:31 ` Gerd Möllmann
2022-10-05 13:55 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2023-05-08 14:01 ` Stefan Monnier via Bug reports for GNU Emacs, the Swiss army knife of text editors
2023-05-09 1:04 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2023-05-09 2:25 ` Stefan Monnier via Bug reports for GNU Emacs, the Swiss army knife of text editors
2023-05-09 5:30 ` Eli Zaretskii
2022-10-05 10:45 ` Gerd Möllmann
2022-10-05 11:10 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 11:15 ` Gerd Möllmann
2022-10-05 11:23 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 11:35 ` Gerd Möllmann
2022-10-05 12:02 ` Gerd Möllmann
2022-10-05 12:08 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 13:40 ` Eli Zaretskii
2022-10-05 13:53 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 14:10 ` Eli Zaretskii
2022-10-05 12:05 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 12:32 ` Gerd Möllmann
2022-10-05 12:38 ` Gerd Möllmann
2022-10-05 12:49 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-05 12:48 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-10-06 5:20 ` Gerd Möllmann
2022-10-05 13:39 ` Eli Zaretskii
2022-10-05 13:13 ` Eli Zaretskii
2022-10-05 13:24 ` Gerd Möllmann
2022-10-05 12:59 ` Eli Zaretskii
2022-10-06 5:35 ` Gerd Möllmann
2022-10-06 6:59 ` Eli Zaretskii
2022-10-06 7:21 ` Gerd Möllmann
2022-10-06 8:08 ` Eli Zaretskii
2022-10-06 8:23 ` Gerd Möllmann
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).