bug#58042: 29.0.50; ASAN use-after-free in re_match_2_internal

[Po Lu]

Gerd Möllmann <gerd.moellmann@gmail.com> writes:

>> Isn't the -[EmacsView layoutSublayersOfLayer:] the problem?  AFAICT from
>> a web search, this is an event handler method that is also called from
>> by the framework?
>>
>> In the olden days, it was a serious error to call into Lisp from an
>> event handler.  All bets were off when that happened, not only related
>> to GC.  I believe that hasn't changed much.

Today, event handling code calls Lisp all the time (through safe_call
etc.)  That happens in handle_one_xevent, ns_select, et cetera.

It shouldn't affect GC at all because input is blocked for the entire
duration of each GC, except for when finalizers are run after unmarked
objects are sweeped.

So AFAIU it has been safe ever since read_socket_hook stopped being
called from a signal handler.

>> That code was introduced by Alan around this time.
>>
>> 1ba02d85a964e1b2c6a9735cd3decdc524e06dc1
>> Author:     Alan Third <alan@idiocy.org>
>> AuthorDate: Sat Jun 12 10:25:47 2021 +0100
>> Commit:     Alan Third <alan@idiocy.org>
>> CommitDate: Sat Jul 31 11:13:05 2021 +0100
>>
>> Maybe Allen can say something, I've CC'd him.
>>
>> Or maybe we should add your fix, too?
>
> And a similar question to Po Lu because of
>
> f81065a91be5a54b78e202df6918aff443588ae1
> Author:     Po Lu <luangruo@yahoo.com>
> AuthorDate: Mon May 30 16:03:11 2022 +0800
> Commit:     Po Lu <luangruo@yahoo.com>
> CommitDate: Mon May 30 16:03:11 2022 +0800
>
> which added a call to redisplay to - (NSDragOperation) draggingUpdated:
> (id <NSDraggingInfo>) sender.  Is that safe here?

It should be safe there since we use safe_call, as the only problem
these days is that it isn't safe to longjmp out of an NS event handler.