GNU bug report logs - #71694
30.0.50; heap-use-after-free in tty_defined_color

Previous Next

Package: emacs;

Reported by: Daniel Clemente <n142857 <at> gmail.com>

Date: Fri, 21 Jun 2024 10:48:02 UTC

Severity: normal

Found in version 30.0.50

To reply to this bug, email your comments to 71694 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#71694; Package emacs. (Fri, 21 Jun 2024 16:25:02 GMT) Full text and rfc822 format available.

Message #3 received at 71694 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Daniel Clemente <n142857 <at> gmail.com>
Cc: 71694 <at> debbugs.gnu.org
Subject: Re: bug#71694: 30.0.50; heap-use-after-free in tty_defined_color
Date: Fri, 21 Jun 2024 17:22:42 +0300

> From: Daniel Clemente <n142857 <at> gmail.com>
> Date: Fri, 21 Jun 2024 10:47:01 +0000
> 
> I enabled -fsanitize. I'm using an X terminal to run TTY Emacs inside.
> I opened the daemon inside gdb with emacs --fg-daemon -Q
> 
> I don't remember what exactly I was doing here, but it only involved
> slowly opening 2 or 3 terminals like this
> urxvt -e "emacsclient" "-c" "-e" '(dired "~")'
> and then I might have opened 2 or 3 with this (in the same session)
> xterm -e "emacsclient" "-c" "-e" '(dired "~")'
> Plus switching between them and closing them.
> However that's not a reproduction formula, it's just what I was doing
> when this crash randomly happened. I don't know how to reproduce this
> yet.
> 
> =================================================================
> ==9677==ERROR: AddressSanitizer: heap-use-after-free on address
> 0x625000123b30 at pc 0x55555695b2c9 bp 0x7fffffff9900 sp
> 0x7fffffff98f8
> READ of size 1 at 0x625000123b30 thread T0
>     #0 0x55555695b2c8 in tty_defined_color /w/emacs/src/xfaces.c:1115

I think this is bogus: -fsanitize doesn't understand the Emacs memory
management, in particular what's going in GC when we relocate strings.

In any case, the line numbers seem off: line 1115 of xfaces.c is a
comment.  Are your sources in sync with the Git repository?
Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#71694; Package emacs. (Wed, 26 Jun 2024 13:31:02 GMT) Full text and rfc822 format available.

Message #6 received at 71694 <at> debbugs.gnu.org (full text, mbox):

From: Daniel Clemente <n142857 <at> gmail.com>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: 71694 <at> debbugs.gnu.org
Subject: Re: bug#71694: 30.0.50; heap-use-after-free in tty_defined_color
Date: Wed, 26 Jun 2024 13:29:08 +0000

On Fri, 21 Jun 2024 at 14:22, Eli Zaretskii <eliz <at> gnu.org> wrote:
>
> > From: Daniel Clemente <n142857 <at> gmail.com>
> > Date: Fri, 21 Jun 2024 10:47:01 +0000
> >
> > I enabled -fsanitize. I'm using an X terminal to run TTY Emacs inside.
> > I opened the daemon inside gdb with emacs --fg-daemon -Q
> >
> > I don't remember what exactly I was doing here, but it only involved
> > slowly opening 2 or 3 terminals like this
> > urxvt -e "emacsclient" "-c" "-e" '(dired "~")'
> > and then I might have opened 2 or 3 with this (in the same session)
> > xterm -e "emacsclient" "-c" "-e" '(dired "~")'
> > Plus switching between them and closing them.
> > However that's not a reproduction formula, it's just what I was doing
> > when this crash randomly happened. I don't know how to reproduce this
> > yet.
> >
> > =================================================================
> > ==9677==ERROR: AddressSanitizer: heap-use-after-free on address
> > 0x625000123b30 at pc 0x55555695b2c9 bp 0x7fffffff9900 sp
> > 0x7fffffff98f8
> > READ of size 1 at 0x625000123b30 thread T0
> >     #0 0x55555695b2c8 in tty_defined_color /w/emacs/src/xfaces.c:1115
>
> I think this is bogus: -fsanitize doesn't understand the Emacs memory
> management, in particular what's going in GC when we relocate strings.
>

I also used -fsanitize=undefined,address,bounds-strict,float-cast-overflow
without realizing that undefined+address seem to be incompatible;
sorry.

This -fsanitize „not understanding“ memory management could be
explained in etc/DEBUG. But this seems advanced so I guess developers
should just get more experience in Emacs memory management before
enabling this.

(You can close it you want).

> In any case, the line numbers seem off: line 1115 of xfaces.c is a
> comment.  Are your sources in sync with the Git repository?

My sources were synchronized but my build was a few weeks old:
d9512da49514623ef3e35524dc894c06f2c0ce20

Line 1115 of xfaces.c was:
  if (color_def->pixel == FACE_TTY_DEFAULT_COLOR && *color_name)
in this context:

  /* Defaults.  */
  color_def->pixel = FACE_TTY_DEFAULT_COLOR;
  color_def->red = 0;
  color_def->blue = 0;
  color_def->green = 0;

  if (*color_name)
    status = tty_lookup_color (f, build_string (color_name), color_def, NULL);

  if (color_def->pixel == FACE_TTY_DEFAULT_COLOR && *color_name)
    {
      if (strcmp (color_name, "unspecified-fg") == 0)
    color_def->pixel = FACE_TTY_DEFAULT_FG_COLOR;
      else if (strcmp (color_name, "unspecified-bg") == 0)
    color_def->pixel = FACE_TTY_DEFAULT_BG_COLOR;
    }
This bug report was last modified 113 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.