From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#58334: 29.0.50; ASAN heap use after free in gui_produce_glyphs Date: Fri, 07 Oct 2022 10:03:50 +0300 Message-ID: <83v8ownmi1.fsf@gnu.org> References: <87mta8qx48.fsf@yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="16300"; mail-complaints-to="usenet@ciao.gmane.io" Cc: gerd.moellmann@gmail.com, 58334@debbugs.gnu.org To: Po Lu Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Fri Oct 07 09:05:37 2022 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oghQO-000412-Q1 for geb-bug-gnu-emacs@m.gmane-mx.org; Fri, 07 Oct 2022 09:05:36 +0200 Original-Received: from localhost ([::1]:49706 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oghQN-00032l-Ll for geb-bug-gnu-emacs@m.gmane-mx.org; Fri, 07 Oct 2022 03:05:35 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:42890) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oghPr-00032W-Lx for bug-gnu-emacs@gnu.org; Fri, 07 Oct 2022 03:05:03 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:35033) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oghPq-0005Aj-Rf for bug-gnu-emacs@gnu.org; Fri, 07 Oct 2022 03:05:03 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oghPq-0004Gq-IB for bug-gnu-emacs@gnu.org; Fri, 07 Oct 2022 03:05:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 07 Oct 2022 07:05:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 58334 X-GNU-PR-Package: emacs Original-Received: via spool by 58334-submit@debbugs.gnu.org id=B58334.166512625116350 (code B ref 58334); Fri, 07 Oct 2022 07:05:02 +0000 Original-Received: (at 58334) by debbugs.gnu.org; 7 Oct 2022 07:04:11 +0000 Original-Received: from localhost ([127.0.0.1]:34111 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oghOx-0004Fa-Bj for submit@debbugs.gnu.org; Fri, 07 Oct 2022 03:04:11 -0400 Original-Received: from eggs.gnu.org ([209.51.188.92]:46150) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oghOs-0004F1-3Y for 58334@debbugs.gnu.org; Fri, 07 Oct 2022 03:04:05 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]:53022) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oghOm-00057D-Hl; Fri, 07 Oct 2022 03:03:56 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-version:References:Subject:In-Reply-To:To:From: Date; bh=ULxdV9onmU8zcUtd7xRG0mcRXNHGtlm/uGC/WKzGL0w=; b=RpoKH4j32ip81vvFtkPZ GpdqxEM7/+dt11AGSSVuS1KwXn8pkqMK7PTZst1sHUHIyKPkp45BuQDAZBE/t4zsBoSBWZlcaeC5l x3aVnn6P5NPxRic9v8pK5vkld4SzPhThVbAr19POi5zRwX8UQ9zTfhR1X0XaDRU6pKSH8AgxOj7Sc yRCkZyiWBXxJHU5yU3jAVuwJ7+GkZuG01lkP/ixsN/8wLKiJ8Rz2dHmxI/UWUEKwMJNbh9sF2oWbi II94QlLFLTIDNswogfmMW4dJ7UqKGDNPcEhYHdPUze5522I+g+SkrkGTiW14WNxYOEVpfUggLi+O2 lMSbDVWZGDko/w==; Original-Received: from [87.69.77.57] (port=1238 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oghOi-0001gl-6a; Fri, 07 Oct 2022 03:03:54 -0400 In-Reply-To: <87mta8qx48.fsf@yahoo.com> (bug-gnu-emacs@gnu.org) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:244734 Archived-At: > Cc: 58334@debbugs.gnu.org > Date: Fri, 07 Oct 2022 08:46:15 +0800 > From: Po Lu via "Bug reports for GNU Emacs, > the Swiss army knife of text editors" > > Gerd Möllmann writes: > > > #0 0x1033f2ca8 in wrap_malloc+0x94 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3eca8) > > #1 0x1005af4f4 in lmalloc alloc.c:1361 > > #2 0x1005af40c in xmalloc alloc.c:751 > > #3 0x1003f92b4 in make_realized_face xfaces.c:4471 > > #4 0x1003f5c00 in realize_gui_face xfaces.c:6023 > > #5 0x1003e4000 in realize_face xfaces.c:5954 > > [...] > > > #14 0x1005592d8 in Fvertical_motion indent.c:2241 > > I'm pretty sure the right fix is to block input around realize_face and > Fvertical_motion, since that code is clearly not reentrant. Why isn't Fvertical_motion reentrant? Anyway, the problem is not that realize_face was interrupted, the problem is that the face realized above was later freed as a side effect of calling redisplay. And the display code (which is invoked by Fvertical_motion) almost everywhere assumes that FACE_FROM_ID will never yield a freed face, it just returns FRAME_FACE_CACHE (f)->faces_by_id[id] without checking whether ID is beyond the limit of the frame's current face cache. The assertion there is not compiled in a production build. (Gerd, was your build with --enable-checking?) So if the frame's face cache can be freed like that as a side effect of maybe_quit, we'll have to introduce cache checking into FACE_FROM_ID, and if the ID is not in the cache do whatever it takes to correct the situation. IOW, I don't see how block_input anywhere can solve this particular problem.