GNU bug report logs - #71694
30.0.50; heap-use-after-free in tty_defined_color

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 71694 in the body.
You can then email your comments to 71694 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #3 received at 71694 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Daniel Clemente <n142857 <at> gmail.com>
Cc: 71694 <at> debbugs.gnu.org
Subject: Re: bug#71694: 30.0.50; heap-use-after-free in tty_defined_color
Date: Fri, 21 Jun 2024 17:22:42 +0300

> From: Daniel Clemente <n142857 <at> gmail.com>
> Date: Fri, 21 Jun 2024 10:47:01 +0000
> 
> I enabled -fsanitize. I'm using an X terminal to run TTY Emacs inside.
> I opened the daemon inside gdb with emacs --fg-daemon -Q
> 
> I don't remember what exactly I was doing here, but it only involved
> slowly opening 2 or 3 terminals like this
> urxvt -e "emacsclient" "-c" "-e" '(dired "~")'
> and then I might have opened 2 or 3 with this (in the same session)
> xterm -e "emacsclient" "-c" "-e" '(dired "~")'
> Plus switching between them and closing them.
> However that's not a reproduction formula, it's just what I was doing
> when this crash randomly happened. I don't know how to reproduce this
> yet.
> 
> =================================================================
> ==9677==ERROR: AddressSanitizer: heap-use-after-free on address
> 0x625000123b30 at pc 0x55555695b2c9 bp 0x7fffffff9900 sp
> 0x7fffffff98f8
> READ of size 1 at 0x625000123b30 thread T0
>     #0 0x55555695b2c8 in tty_defined_color /w/emacs/src/xfaces.c:1115

I think this is bogus: -fsanitize doesn't understand the Emacs memory
management, in particular what's going in GC when we relocate strings.

In any case, the line numbers seem off: line 1115 of xfaces.c is a
comment.  Are your sources in sync with the Git repository?

Message #6 received at 71694 <at> debbugs.gnu.org (full text, mbox):

From: Daniel Clemente <n142857 <at> gmail.com>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: 71694 <at> debbugs.gnu.org
Subject: Re: bug#71694: 30.0.50; heap-use-after-free in tty_defined_color
Date: Wed, 26 Jun 2024 13:29:08 +0000

On Fri, 21 Jun 2024 at 14:22, Eli Zaretskii <eliz <at> gnu.org> wrote:
>
> > From: Daniel Clemente <n142857 <at> gmail.com>
> > Date: Fri, 21 Jun 2024 10:47:01 +0000
> >
> > I enabled -fsanitize. I'm using an X terminal to run TTY Emacs inside.
> > I opened the daemon inside gdb with emacs --fg-daemon -Q
> >
> > I don't remember what exactly I was doing here, but it only involved
> > slowly opening 2 or 3 terminals like this
> > urxvt -e "emacsclient" "-c" "-e" '(dired "~")'
> > and then I might have opened 2 or 3 with this (in the same session)
> > xterm -e "emacsclient" "-c" "-e" '(dired "~")'
> > Plus switching between them and closing them.
> > However that's not a reproduction formula, it's just what I was doing
> > when this crash randomly happened. I don't know how to reproduce this
> > yet.
> >
> > =================================================================
> > ==9677==ERROR: AddressSanitizer: heap-use-after-free on address
> > 0x625000123b30 at pc 0x55555695b2c9 bp 0x7fffffff9900 sp
> > 0x7fffffff98f8
> > READ of size 1 at 0x625000123b30 thread T0
> >     #0 0x55555695b2c8 in tty_defined_color /w/emacs/src/xfaces.c:1115
>
> I think this is bogus: -fsanitize doesn't understand the Emacs memory
> management, in particular what's going in GC when we relocate strings.
>

I also used -fsanitize=undefined,address,bounds-strict,float-cast-overflow
without realizing that undefined+address seem to be incompatible;
sorry.

This -fsanitize „not understanding“ memory management could be
explained in etc/DEBUG. But this seems advanced so I guess developers
should just get more experience in Emacs memory management before
enabling this.

(You can close it you want).

> In any case, the line numbers seem off: line 1115 of xfaces.c is a
> comment.  Are your sources in sync with the Git repository?

My sources were synchronized but my build was a few weeks old:
d9512da49514623ef3e35524dc894c06f2c0ce20

Line 1115 of xfaces.c was:
  if (color_def->pixel == FACE_TTY_DEFAULT_COLOR && *color_name)
in this context:

  /* Defaults.  */
  color_def->pixel = FACE_TTY_DEFAULT_COLOR;
  color_def->red = 0;
  color_def->blue = 0;
  color_def->green = 0;

  if (*color_name)
    status = tty_lookup_color (f, build_string (color_name), color_def, NULL);

  if (color_def->pixel == FACE_TTY_DEFAULT_COLOR && *color_name)
    {
      if (strcmp (color_name, "unspecified-fg") == 0)
    color_def->pixel = FACE_TTY_DEFAULT_FG_COLOR;
      else if (strcmp (color_name, "unspecified-bg") == 0)
    color_def->pixel = FACE_TTY_DEFAULT_BG_COLOR;
    }

Message #11 received at 71694-done <at> debbugs.gnu.org (full text, mbox):

From: Stefan Kangas <stefankangas <at> gmail.com>
To: Daniel Clemente <n142857 <at> gmail.com>
Cc: Eli Zaretskii <eliz <at> gnu.org>, 71694-done <at> debbugs.gnu.org
Subject: Re: bug#71694: 30.0.50; heap-use-after-free in tty_defined_color
Date: Fri, 28 Feb 2025 17:59:35 -0800

Daniel Clemente <n142857 <at> gmail.com> writes:

> On Fri, 21 Jun 2024 at 14:22, Eli Zaretskii <eliz <at> gnu.org> wrote:
>>
>> > From: Daniel Clemente <n142857 <at> gmail.com>
>> > Date: Fri, 21 Jun 2024 10:47:01 +0000
>> >
>> > I enabled -fsanitize. I'm using an X terminal to run TTY Emacs inside.
>> > I opened the daemon inside gdb with emacs --fg-daemon -Q
>> >
>> > I don't remember what exactly I was doing here, but it only involved
>> > slowly opening 2 or 3 terminals like this
>> > urxvt -e "emacsclient" "-c" "-e" '(dired "~")'
>> > and then I might have opened 2 or 3 with this (in the same session)
>> > xterm -e "emacsclient" "-c" "-e" '(dired "~")'
>> > Plus switching between them and closing them.
>> > However that's not a reproduction formula, it's just what I was doing
>> > when this crash randomly happened. I don't know how to reproduce this
>> > yet.
>> >
>> > =================================================================
>> > ==9677==ERROR: AddressSanitizer: heap-use-after-free on address
>> > 0x625000123b30 at pc 0x55555695b2c9 bp 0x7fffffff9900 sp
>> > 0x7fffffff98f8
>> > READ of size 1 at 0x625000123b30 thread T0
>> >     #0 0x55555695b2c8 in tty_defined_color /w/emacs/src/xfaces.c:1115
>>
>> I think this is bogus: -fsanitize doesn't understand the Emacs memory
>> management, in particular what's going in GC when we relocate strings.
>>
>
> I also used -fsanitize=undefined,address,bounds-strict,float-cast-overflow
> without realizing that undefined+address seem to be incompatible;
> sorry.
>
> This -fsanitize „not understanding“ memory management could be
> explained in etc/DEBUG. But this seems advanced so I guess developers
> should just get more experience in Emacs memory management before
> enabling this.
>
> (You can close it you want).

It seems like the outstanding questions here were resolved.

I'm therefore closing this bug report.

>
>> In any case, the line numbers seem off: line 1115 of xfaces.c is a
>> comment.  Are your sources in sync with the Git repository?
>
> My sources were synchronized but my build was a few weeks old:
> d9512da49514623ef3e35524dc894c06f2c0ce20
>
> Line 1115 of xfaces.c was:
>   if (color_def->pixel == FACE_TTY_DEFAULT_COLOR && *color_name)
> in this context:
>
>   /* Defaults.  */
>   color_def->pixel = FACE_TTY_DEFAULT_COLOR;
>   color_def->red = 0;
>   color_def->blue = 0;
>   color_def->green = 0;
>
>   if (*color_name)
>     status = tty_lookup_color (f, build_string (color_name), color_def, NULL);
>
>   if (color_def->pixel == FACE_TTY_DEFAULT_COLOR && *color_name)
>     {
>       if (strcmp (color_name, "unspecified-fg") == 0)
>     color_def->pixel = FACE_TTY_DEFAULT_FG_COLOR;
>       else if (strcmp (color_name, "unspecified-bg") == 0)
>     color_def->pixel = FACE_TTY_DEFAULT_BG_COLOR;
>     }

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.