From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Gerd =?UTF-8?Q?M=C3=B6llmann?= Newsgroups: gmane.emacs.bugs Subject: bug#56095: 29.0.50; nsterm.m, use after free Date: Sun, 19 Jun 2022 16:28:14 +0200 Message-ID: Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="26795"; mail-complaints-to="usenet@ciao.gmane.io" To: 56095@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sun Jun 19 17:18:28 2022 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1o2wh1-0006of-UN for geb-bug-gnu-emacs@m.gmane-mx.org; Sun, 19 Jun 2022 17:18:28 +0200 Original-Received: from localhost ([::1]:52738 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1o2wh0-0004xx-It for geb-bug-gnu-emacs@m.gmane-mx.org; Sun, 19 Jun 2022 11:18:26 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:45638) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1o2wgc-0004xn-4W for bug-gnu-emacs@gnu.org; Sun, 19 Jun 2022 11:18:02 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:58959) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1o2wgb-0001BH-S8 for bug-gnu-emacs@gnu.org; Sun, 19 Jun 2022 11:18:01 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1o2wgb-0000ru-Mx for bug-gnu-emacs@gnu.org; Sun, 19 Jun 2022 11:18:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Gerd =?UTF-8?Q?M=C3=B6llmann?= Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 19 Jun 2022 15:18:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 56095 X-GNU-PR-Package: emacs X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.16556518653306 (code B ref -1); Sun, 19 Jun 2022 15:18:01 +0000 Original-Received: (at submit) by debbugs.gnu.org; 19 Jun 2022 15:17:45 +0000 Original-Received: from localhost ([127.0.0.1]:52856 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1o2wgH-0000r6-Lr for submit@debbugs.gnu.org; Sun, 19 Jun 2022 11:17:45 -0400 Original-Received: from lists.gnu.org ([209.51.188.17]:48546) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1o2vua-0005qe-6z for submit@debbugs.gnu.org; Sun, 19 Jun 2022 10:28:38 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:35756) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1o2vua-0002Th-19 for bug-gnu-emacs@gnu.org; Sun, 19 Jun 2022 10:28:24 -0400 Original-Received: from mail-ej1-x632.google.com ([2a00:1450:4864:20::632]:37665) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1o2vuV-0000be-0g for bug-gnu-emacs@gnu.org; Sun, 19 Jun 2022 10:28:23 -0400 Original-Received: by mail-ej1-x632.google.com with SMTP id gl15so16649782ejb.4 for ; Sun, 19 Jun 2022 07:28:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:subject:date:message-id:mime-version; bh=FtbYJcD3LmEJUDwFFEfkJ5E8CnZPiitftoGSf5uS5qw=; b=f5BTVCfqTqbjt+XTAqqapDLf9PtpZF/8qh5D9VLCoen2tOtQxF7RS4jZFbGC8EWS6q A0+20p0LjKx0kUc6GHWkUYy0qE5NjIJSVoMCOo4JiWfhL5oUd2crJGmlx34KnsxcypAo oLINzPWjGrnwT6ZVat6/a5ayiDqB8hwAKcwIR+O3+UMbRD4tTUeQC0ty8F8j5Ws/nJYq xBGzsKPQ5ActTndJvhdos7mnlibxULgoZyjCPaDLsdMDKQER2OGSHKvTX09v9pgpItED hfcmhjBaMecP9cpCBacUdxI4ig0ixVB0gHn+D8tW6cfWpF7jMJCkV9IMTbk2sUYjbzQX sKZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:mime-version; bh=FtbYJcD3LmEJUDwFFEfkJ5E8CnZPiitftoGSf5uS5qw=; b=TvVAYOrMbsbfv1DznFjuzw8OJMKXafAPLq9nfRyaDKsf6CbqGnqfr36t6S4KLYpCje EUfaX24dL2JVOroOSWIzf9YUF5gqxTCd6L8G05HYWA9Mwn6W+uXeq8Mm1gFpLZj1R2yP mHTnR+6XBMS17KXyqselrd8WKcvpeFlBYC3QithGGmyBxo2MSn1i+kSqgYPBQZnzOYvz KG4QV0CXLk7cXWzF9/mkQspa4SEHpbrs5N5BnI2A2kdPO+uXpcrg0C+y1g8e/qitAM7O O+8Et5E50qGh6CzEaw+lYbrpxQlpbRtjsBfpTlmRIdA0CdeWUsDXbP8P1rT4ioLNO8HQ 6uQQ== X-Gm-Message-State: AJIora820RtoGlCCjIh1+wJf2qh7Skb333GmuxIcc646Lj22Z8VcnJsR DvwE8+XorLIJVtqgzAt4+zyA31lJyTe+Dw== X-Google-Smtp-Source: AGRyM1tjsjelK9HjrXcR8X7ChubIFPK6pmN6ny+ZIluSqgryMp4/3zJUA0PFO3cgju8dlaVEWjMUbg== X-Received: by 2002:a17:906:708:b0:712:174:8745 with SMTP id y8-20020a170906070800b0071201748745mr16803069ejb.268.1655648896713; Sun, 19 Jun 2022 07:28:16 -0700 (PDT) Original-Received: from Mini.fritz.box (p4fe3a768.dip0.t-ipconnect.de. [79.227.167.104]) by smtp.gmail.com with ESMTPSA id wi18-20020a170906fd5200b00707d11fd421sm4513629ejb.107.2022.06.19.07.28.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Jun 2022 07:28:16 -0700 (PDT) Received-SPF: pass client-ip=2a00:1450:4864:20::632; envelope-from=gerd.moellmann@gmail.com; helo=mail-ej1-x632.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_TEMPERROR=0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Sun, 19 Jun 2022 11:17:40 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:234800 Archived-At: So, I'm trying Emacs on MacOS now, get some non-reproducible crashes, built master with ASAN, and the first thing it found is this: ==61522==ERROR: AddressSanitizer: heap-use-after-free on address 0x00012d7deb90 at pc 0x0001008c1514 bp 0x00016fdf7230 sp 0x00016fdf7228 WRITE of size 8 at 0x00012d7deb90 thread T0 ==61522==WARNING: Can't read from symbolizer at fd 25 ==61522==WARNING: Can't read from symbolizer at fd 26 ==61522==WARNING: Can't read from symbolizer at fd 27 ==61522==WARNING: Can't read from symbolizer at fd 28 ==61522==WARNING: Failed to use and restart external symbolizer! #0 0x1008c1510 in wset_vertical_scroll_bar+0x4c (/Users/gerd/repos/emacs/src/emacs:arm64+0x1008c1510) #1 0x1008c19a0 in -[EmacsScroller judge]+0x360 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1008c19a0) #2 0x1008d641c in ns_judge_scroll_bars+0x224 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1008d641c) #3 0x1000fa4ec in redisplay_internal+0x4ca4 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1000fa4ec) ... 0x00012d7deb90 is located 656 bytes inside of 4096-byte region [0x00012d7de900,0x00012d7df900) freed by thread T0 here: #0 0x1031c7c94 in wrap_free+0x98 (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/13.1.6/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3fc94) #1 0x1009aec74 in rpl_free+0x7c (/Users/gerd/repos/emacs/src/emacs:arm64+0x1009aec74) #2 0x100598488 in xfree+0x38 (/Users/gerd/repos/emacs/src/emacs:arm64+0x100598488) #3 0x1005bad4c in sweep_vectors+0x2f4 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1005bad4c) #4 0x1005acf58 in gc_sweep+0x20 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1005acf58) #5 0x1005ab1a4 in garbage_collect+0x9f0 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1005ab1a4) #6 0x1005aa720 in maybe_garbage_collect+0x28 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1005aa720) #7 0x100641714 in maybe_gc+0x54 (/Users/gerd/repos/emacs/src/emacs:arm64+0x100641714) #8 0x10063a9f0 in Ffuncall+0x3c8 (/Users/gerd/repos/emacs/src/emacs:arm64+0x10063a9f0) #9 0x10063d468 in internal_condition_case_n+0x1d4 (/Users/gerd/repos/emacs/src/emacs:arm64+0x10063d468) #10 0x1000d52b8 in safe__call+0x16a8 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1000d52b8) #11 0x1000d3b60 in safe_call+0x164 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1000d3b60) #12 0x1000d542c in safe_call1+0x28 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1000d542c) #13 0x10019c5b8 in handle_fontified_prop+0xb04 (/Users/gerd/repos/emacs/src/emacs:arm64+0x10019c5b8) #14 0x100196e0c in handle_stop+0x324 (/Users/gerd/repos/emacs/src/emacs:arm64+0x100196e0c) #15 0x1001a9294 in next_element_from_buffer+0xa18 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1001a9294) #16 0x1000a639c in get_next_display_element+0x29c (/Users/gerd/repos/emacs/src/emacs:arm64+0x1000a639c) #17 0x10011344c in display_line+0x1dd4 (/Users/gerd/repos/emacs/src/emacs:arm64+0x10011344c) #18 0x1001104e4 in try_window+0x564 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1001104e4) #19 0x1001e6c28 in redisplay_window+0x70e0 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1001e6c28) ... previously allocated by thread T0 here: #0 0x1031c7b58 in wrap_malloc+0x94 (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/13.1.6/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3fb58) #1 0x100598138 in lmalloc+0x44 (/Users/gerd/repos/emacs/src/emacs:arm64+0x100598138) #2 0x100598054 in xmalloc+0x40 (/Users/gerd/repos/emacs/src/emacs:arm64+0x100598054) #3 0x1005b28f4 in allocate_vector_block+0x20 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1005b28f4) #4 0x1005b2640 in allocate_vector_from_block+0x2a0 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1005b2640) #5 0x1005a4c54 in allocate_vectorlike+0x70 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1005a4c54) #6 0x1005a4b40 in allocate_pseudovector+0x38 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1005a4b40) #7 0x1002838cc in allocate_window+0x18 (/Users/gerd/repos/emacs/src/emacs:arm64+0x1002838cc) #8 0x100288a78 in make_parent_window+0x3c (/Users/gerd/repos/emacs/src/emacs:arm64+0x100288a78) #9 0x100287508 in Fsplit_window_internal+0xbc0 (/Users/gerd/repos/emacs/src/emacs:arm64+0x100287508) ... That is, EmacsScroller modifies a struct window that has already been free'd during a GC that was triggered during redisplay. AFAICS, EmacsScroller is part of ns_display_info and hold a pointer to a struct window. AFAICS, nothing is marking that window during GC, so... Sorry, no patch because I don't really know what I'm doing ;-).