GNU bug report logs -
#71694
30.0.50; heap-use-after-free in tty_defined_color
Previous Next
To reply to this bug, email your comments to 71694 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Information forwarded
to
bug-gnu-emacs <at> gnu.org
:
bug#71694
; Package
emacs
.
(Fri, 21 Jun 2024 16:25:02 GMT)
Full text and
rfc822 format available.
Message #3 received at 71694 <at> debbugs.gnu.org (full text, mbox):
> From: Daniel Clemente <n142857 <at> gmail.com>
> Date: Fri, 21 Jun 2024 10:47:01 +0000
>
> I enabled -fsanitize. I'm using an X terminal to run TTY Emacs inside.
> I opened the daemon inside gdb with emacs --fg-daemon -Q
>
> I don't remember what exactly I was doing here, but it only involved
> slowly opening 2 or 3 terminals like this
> urxvt -e "emacsclient" "-c" "-e" '(dired "~")'
> and then I might have opened 2 or 3 with this (in the same session)
> xterm -e "emacsclient" "-c" "-e" '(dired "~")'
> Plus switching between them and closing them.
> However that's not a reproduction formula, it's just what I was doing
> when this crash randomly happened. I don't know how to reproduce this
> yet.
>
> =================================================================
> ==9677==ERROR: AddressSanitizer: heap-use-after-free on address
> 0x625000123b30 at pc 0x55555695b2c9 bp 0x7fffffff9900 sp
> 0x7fffffff98f8
> READ of size 1 at 0x625000123b30 thread T0
> #0 0x55555695b2c8 in tty_defined_color /w/emacs/src/xfaces.c:1115
I think this is bogus: -fsanitize doesn't understand the Emacs memory
management, in particular what's going in GC when we relocate strings.
In any case, the line numbers seem off: line 1115 of xfaces.c is a
comment. Are your sources in sync with the Git repository?
Information forwarded
to
bug-gnu-emacs <at> gnu.org
:
bug#71694
; Package
emacs
.
(Wed, 26 Jun 2024 13:31:02 GMT)
Full text and
rfc822 format available.
Message #6 received at 71694 <at> debbugs.gnu.org (full text, mbox):
On Fri, 21 Jun 2024 at 14:22, Eli Zaretskii <eliz <at> gnu.org> wrote:
>
> > From: Daniel Clemente <n142857 <at> gmail.com>
> > Date: Fri, 21 Jun 2024 10:47:01 +0000
> >
> > I enabled -fsanitize. I'm using an X terminal to run TTY Emacs inside.
> > I opened the daemon inside gdb with emacs --fg-daemon -Q
> >
> > I don't remember what exactly I was doing here, but it only involved
> > slowly opening 2 or 3 terminals like this
> > urxvt -e "emacsclient" "-c" "-e" '(dired "~")'
> > and then I might have opened 2 or 3 with this (in the same session)
> > xterm -e "emacsclient" "-c" "-e" '(dired "~")'
> > Plus switching between them and closing them.
> > However that's not a reproduction formula, it's just what I was doing
> > when this crash randomly happened. I don't know how to reproduce this
> > yet.
> >
> > =================================================================
> > ==9677==ERROR: AddressSanitizer: heap-use-after-free on address
> > 0x625000123b30 at pc 0x55555695b2c9 bp 0x7fffffff9900 sp
> > 0x7fffffff98f8
> > READ of size 1 at 0x625000123b30 thread T0
> > #0 0x55555695b2c8 in tty_defined_color /w/emacs/src/xfaces.c:1115
>
> I think this is bogus: -fsanitize doesn't understand the Emacs memory
> management, in particular what's going in GC when we relocate strings.
>
I also used -fsanitize=undefined,address,bounds-strict,float-cast-overflow
without realizing that undefined+address seem to be incompatible;
sorry.
This -fsanitize „not understanding“ memory management could be
explained in etc/DEBUG. But this seems advanced so I guess developers
should just get more experience in Emacs memory management before
enabling this.
(You can close it you want).
> In any case, the line numbers seem off: line 1115 of xfaces.c is a
> comment. Are your sources in sync with the Git repository?
My sources were synchronized but my build was a few weeks old:
d9512da49514623ef3e35524dc894c06f2c0ce20
Line 1115 of xfaces.c was:
if (color_def->pixel == FACE_TTY_DEFAULT_COLOR && *color_name)
in this context:
/* Defaults. */
color_def->pixel = FACE_TTY_DEFAULT_COLOR;
color_def->red = 0;
color_def->blue = 0;
color_def->green = 0;
if (*color_name)
status = tty_lookup_color (f, build_string (color_name), color_def, NULL);
if (color_def->pixel == FACE_TTY_DEFAULT_COLOR && *color_name)
{
if (strcmp (color_name, "unspecified-fg") == 0)
color_def->pixel = FACE_TTY_DEFAULT_FG_COLOR;
else if (strcmp (color_name, "unspecified-bg") == 0)
color_def->pixel = FACE_TTY_DEFAULT_BG_COLOR;
}
This bug report was last modified 113 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.