From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Po Lu via "Bug reports for GNU Emacs, the Swiss army knife of text editors" Newsgroups: gmane.emacs.bugs Subject: bug#58334: 29.0.50; ASAN heap use after free in gui_produce_glyphs Date: Fri, 07 Oct 2022 08:46:15 +0800 Message-ID: <87mta8qx48.fsf@yahoo.com> References: Reply-To: Po Lu Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="3972"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.91 (gnu/linux) Cc: 58334@debbugs.gnu.org To: Gerd =?UTF-8?Q?M=C3=B6llmann?= Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Fri Oct 07 02:48:08 2022 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ogbX6-0000rt-CJ for geb-bug-gnu-emacs@m.gmane-mx.org; Fri, 07 Oct 2022 02:48:08 +0200 Original-Received: from localhost ([::1]:35092 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ogbX5-0000sR-5X for geb-bug-gnu-emacs@m.gmane-mx.org; Thu, 06 Oct 2022 20:48:07 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:45066) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ogbW2-0000s0-SD for bug-gnu-emacs@gnu.org; Thu, 06 Oct 2022 20:47:03 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:34807) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ogbW2-0007kn-JZ for bug-gnu-emacs@gnu.org; Thu, 06 Oct 2022 20:47:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ogbW2-0002j9-Ep for bug-gnu-emacs@gnu.org; Thu, 06 Oct 2022 20:47:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Po Lu Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Fri, 07 Oct 2022 00:47:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 58334 X-GNU-PR-Package: emacs Original-Received: via spool by 58334-submit@debbugs.gnu.org id=B58334.166510359610443 (code B ref 58334); Fri, 07 Oct 2022 00:47:02 +0000 Original-Received: (at 58334) by debbugs.gnu.org; 7 Oct 2022 00:46:36 +0000 Original-Received: from localhost ([127.0.0.1]:33884 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ogbVb-0002iN-Mi for submit@debbugs.gnu.org; Thu, 06 Oct 2022 20:46:35 -0400 Original-Received: from sonic314-21.consmr.mail.ne1.yahoo.com ([66.163.189.147]:38768) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ogbVZ-0002i9-Er for 58334@debbugs.gnu.org; Thu, 06 Oct 2022 20:46:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1665103586; bh=hbVZCeak24swYn4qwIUp/r7qVJBmx7nFe20WMY7AlB8=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From:Subject:Reply-To; b=A6+Qn7bkqTwr0j4NQ12W89FJ4hwUl8MRHm3HyaeGEJCNK4tZU7ZLaZmkFxnuWa7zGoUO8C//301hqFbH7VV5SWRddSOBB9DnYlCECXNtS3C1QFEZFHc4IviVeXlfVyu2c+e+psCgcEVv9PZjUnG70jidILERWuttCrTh3oirT2JBNchIkxUY80imcJMacAY2VEPh0YXXFWjMyFsqqs03Al2xXUxhuJH319ECWS/SCEKV5hdS/ps6gThUWQhp3/3OG7/l3aXHtjxDHpadkjbQ909hBVI4gCTbmATw5hoPONsr6FFR32hbi09kjwSzI7a4Q35F8SQDqydtk5hCmbqmMg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1665103586; bh=Z81AkvViGkcWkBaIWDe45OZ5a77p6SoDJD7fAkmqgzw=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=L/QHJwsup0NDFUgR0M6cHvu+CZvsHepaDZkE6/3pvn7vMXUJ23pdriGU4bijgN2LOvBqeomjQ030YQADsExmbibmZAS+hfXs1mxYNqQ5Tioks3PNqKQmjsBoejwl2Dx37lGkOngRkGFjR4vhvpTGu3sKg5pYbQ95lVi6Hdkq6CeLpPoKOn/tdbH64zArM5iO3HOeFfi8YHVUw8an8SWYPcJwNbK8Wdo+t/Ythn8sactvtT5tSh8YrvOt9ZIdVLm/j1Nhdq6SgyyPzCMGM3sQ/KuvAZijOiAesOgPO0B310Mc+5EQyXaKQVNEMFs09LFwUOlILzhKuZBW3NJwOgmMpg== X-YMail-OSG: p6Ygv_8VM1nlBGjjXAnY19V.3arwbvQ2jBLnBpA0APxe1U9Jij3fUxQ.xo_aMJc 6.eXVW9WQtCzSK5.4mJ9pgiOX5bjuZiPebPZXtQ_5pPFL_O6nKjL_NYM82.r23BwRjCyfUJU7J9n zoLceuV0FzCJdwofhO41wT5CNMDGM_os1QJAo70DtDPN3e9t34TIoLvU5ZDXlQYCO.YGoXPKr1EJ JIQ9kW3l7jg.eLQ5UqIjlg3X3at10CGFOsuRGttn1dYP5FJNxIjBjADiJJQwu5z9x7ZzKKQEO.N8 79nDq372iRREy0w.5f54Y2SA8LWSTrMtc1tXBSJzUb5ahVIo4FPhHFtrqu.gJcL3cznEYWspfJD2 5W8DDN4DipVWCfGUGwJ6wzgbxmMFzZAcZiHJqhKZotldXOd7QSrGPXoV9jGVv4LWwzB.VVVK0aAC 1Q0OfwtE7rggV5PlvUe1qAvRl6SSzS9mw72xedwRdOH_fguOy9OER_trrSw_nTvGZKaD.Kx7ShoG 0RqRI7dr6DC5aAOiaILpIumlRCCHpjvUh1UmaYQxbMunBds.T282BCxJ2EWHglsAdqMgTUQgZzem KaLAjjaJ9qoMwAsdsaebEiw3xr5p5qGNWwHwIv_gwVFsZAlX9vlikl1s6p8sCUmE_X5na8XjKGXw 0Zva2OHqYx8p6.xgwYLFS7dxFGvPuygK8Svl6QYHTb54liDI.kcH0wmnfTn.YkKIbagW_57FtKNl _XJGXCD6rPFqpCUHk0mI0tNa8IOwMcjDzA1r3uTZ5iHh3JbTt9mxLkiDkd5jJ2SXLL7LEMJYkuXG NRu7tMfJse8wbZVq1jrIvZdS8fIEe565YUChUL9nFv X-Sonic-MF: Original-Received: from sonic.gate.mail.ne1.yahoo.com by sonic314.consmr.mail.ne1.yahoo.com with HTTP; Fri, 7 Oct 2022 00:46:26 +0000 Original-Received: by hermes--production-sg3-cf9dc7f8d-rww6r (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 82f6e26cc52ec5f7e28eae81e310fd88; Fri, 07 Oct 2022 00:46:20 +0000 (UTC) In-Reply-To: ("Gerd =?UTF-8?Q?M=C3=B6llmann?="'s message of "Thu, 06 Oct 2022 17:03:17 +0200") X-Mailer: WebService/1.1.20702 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:244723 Archived-At: Gerd M=C3=B6llmann writes: > #0 0x1033f2ca8 in wrap_malloc+0x94 (libclang_rt.asan_osx_dynamic.dyli= b:arm64e+0x3eca8) > #1 0x1005af4f4 in lmalloc alloc.c:1361 > #2 0x1005af40c in xmalloc alloc.c:751 > #3 0x1003f92b4 in make_realized_face xfaces.c:4471 > #4 0x1003f5c00 in realize_gui_face xfaces.c:6023 > #5 0x1003e4000 in realize_face xfaces.c:5954 [...] > #14 0x1005592d8 in Fvertical_motion indent.c:2241 I'm pretty sure the right fix is to block input around realize_face and Fvertical_motion, since that code is clearly not reentrant. > The problem here, it seems to me, is that the redisplay done in > -[EmacsView layoutSublayersOfLayer:] nsterm.m:8675, frees realized faces > at a moment that the code doesn't cannot expect. Also, how come layoutSublayersOfLayer is called so often? AFAIU it's only there to coax the system into actually resizing Emacs while the system blocks the input loop from returning control to Emacs, which should only happen during drag-to-resize.