From: "Gerd Möllmann" <gerd.moellmann@gmail.com>
To: 56095@debbugs.gnu.org
Subject: bug#56095: 29.0.50; nsterm.m, use after free
Date: Sun, 19 Jun 2022 16:28:14 +0200 [thread overview]
Message-ID: <m2wndciv7l.fsf@Mini.fritz.box> (raw)
So, I'm trying Emacs on MacOS now, get some non-reproducible
crashes, built master with ASAN, and the first thing it found is this:
==61522==ERROR: AddressSanitizer: heap-use-after-free on address 0x00012d7deb90 at pc 0x0001008c1514 bp 0x00016fdf7230 sp 0x00016fdf7228
WRITE of size 8 at 0x00012d7deb90 thread T0
==61522==WARNING: Can't read from symbolizer at fd 25
==61522==WARNING: Can't read from symbolizer at fd 26
==61522==WARNING: Can't read from symbolizer at fd 27
==61522==WARNING: Can't read from symbolizer at fd 28
==61522==WARNING: Failed to use and restart external symbolizer!
#0 0x1008c1510 in wset_vertical_scroll_bar+0x4c (/Users/gerd/repos/emacs/src/emacs:arm64+0x1008c1510)
#1 0x1008c19a0 in -[EmacsScroller judge]+0x360 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1008c19a0)
#2 0x1008d641c in ns_judge_scroll_bars+0x224 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1008d641c)
#3 0x1000fa4ec in redisplay_internal+0x4ca4 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1000fa4ec)
...
0x00012d7deb90 is located 656 bytes inside of 4096-byte region [0x00012d7de900,0x00012d7df900)
freed by thread T0 here:
#0 0x1031c7c94 in wrap_free+0x98 (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/13.1.6/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3fc94)
#1 0x1009aec74 in rpl_free+0x7c (/Users/gerd/repos/emacs/src/emacs:arm64+0x1009aec74)
#2 0x100598488 in xfree+0x38 (/Users/gerd/repos/emacs/src/emacs:arm64+0x100598488)
#3 0x1005bad4c in sweep_vectors+0x2f4 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1005bad4c)
#4 0x1005acf58 in gc_sweep+0x20 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1005acf58)
#5 0x1005ab1a4 in garbage_collect+0x9f0 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1005ab1a4)
#6 0x1005aa720 in maybe_garbage_collect+0x28 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1005aa720)
#7 0x100641714 in maybe_gc+0x54 (/Users/gerd/repos/emacs/src/emacs:arm64+0x100641714)
#8 0x10063a9f0 in Ffuncall+0x3c8 (/Users/gerd/repos/emacs/src/emacs:arm64+0x10063a9f0)
#9 0x10063d468 in internal_condition_case_n+0x1d4 (/Users/gerd/repos/emacs/src/emacs:arm64+0x10063d468)
#10 0x1000d52b8 in safe__call+0x16a8 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1000d52b8)
#11 0x1000d3b60 in safe_call+0x164 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1000d3b60)
#12 0x1000d542c in safe_call1+0x28 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1000d542c)
#13 0x10019c5b8 in handle_fontified_prop+0xb04 (/Users/gerd/repos/emacs/src/emacs:arm64+0x10019c5b8)
#14 0x100196e0c in handle_stop+0x324 (/Users/gerd/repos/emacs/src/emacs:arm64+0x100196e0c)
#15 0x1001a9294 in next_element_from_buffer+0xa18 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1001a9294)
#16 0x1000a639c in get_next_display_element+0x29c (/Users/gerd/repos/emacs/src/emacs:arm64+0x1000a639c)
#17 0x10011344c in display_line+0x1dd4 (/Users/gerd/repos/emacs/src/emacs:arm64+0x10011344c)
#18 0x1001104e4 in try_window+0x564 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1001104e4)
#19 0x1001e6c28 in redisplay_window+0x70e0 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1001e6c28)
...
previously allocated by thread T0 here:
#0 0x1031c7b58 in wrap_malloc+0x94 (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/13.1.6/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3fb58)
#1 0x100598138 in lmalloc+0x44 (/Users/gerd/repos/emacs/src/emacs:arm64+0x100598138)
#2 0x100598054 in xmalloc+0x40 (/Users/gerd/repos/emacs/src/emacs:arm64+0x100598054)
#3 0x1005b28f4 in allocate_vector_block+0x20 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1005b28f4)
#4 0x1005b2640 in allocate_vector_from_block+0x2a0 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1005b2640)
#5 0x1005a4c54 in allocate_vectorlike+0x70 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1005a4c54)
#6 0x1005a4b40 in allocate_pseudovector+0x38 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1005a4b40)
#7 0x1002838cc in allocate_window+0x18 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1002838cc)
#8 0x100288a78 in make_parent_window+0x3c (/Users/gerd/repos/emacs/src/emacs:arm64+0x100288a78)
#9 0x100287508 in Fsplit_window_internal+0xbc0 (/Users/gerd/repos/emacs/src/emacs:arm64+0x100287508)
...
That is, EmacsScroller modifies a struct window that has already been
free'd during a GC that was triggered during redisplay.
AFAICS, EmacsScroller is part of ns_display_info and hold a pointer to a
struct window. AFAICS, nothing is marking that window during GC, so...
Sorry, no patch because I don't really know what I'm doing ;-).
next reply other threads:[~2022-06-19 14:28 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-19 14:28 Gerd Möllmann [this message]
2022-06-20 1:22 ` bug#56095: 29.0.50; nsterm.m, use after free Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-06-20 6:02 ` Gerd Möllmann
2022-06-20 10:21 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-06-21 14:25 ` Gerd Möllmann
2022-06-21 15:43 ` Eli Zaretskii
2022-06-22 5:26 ` Gerd Möllmann
2022-06-22 9:19 ` Gerd Möllmann
2022-06-22 13:21 ` Eli Zaretskii
2022-06-22 13:43 ` Gerd Möllmann
2022-06-22 1:30 ` Po Lu via Bug reports for GNU Emacs, the Swiss army knife of text editors
2022-06-22 13:53 ` Eli Zaretskii
2022-06-22 14:15 ` Gerd Möllmann
2022-06-22 16:14 ` Eli Zaretskii
[not found] <27290ad8-4f51-41e5-9317-46e4b3c5dd6c@Spark>
2022-06-19 17:32 ` bug#56095: Patch Gerd Möllmann
2022-06-19 22:51 ` bug#56095: 29.0.50; nsterm.m, use after free Lars Ingebrigtsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m2wndciv7l.fsf@Mini.fritz.box \
--to=gerd.moellmann@gmail.com \
--cc=56095@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).