bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#58334: 29.0.50; ASAN heap use after free in gui_produce_glyphs

From: Eli Zaretskii
Subject: bug#58334: 29.0.50; ASAN heap use after free in gui_produce_glyphs
Date: Thu, 06 Oct 2022 19:00:50 +0300 
> From: Gerd Möllmann <gerd.moellmann@gmail.com>
> Date: Thu, 06 Oct 2022 17:03:17 +0200
> 
> This is again on my local branch based on master.  Recent fixes for ASAN
> are contained in that branch.  It seems to be pretty good at producing
> this...
> 
> ==19549==ERROR: AddressSanitizer: heap-use-after-free on address 
> 0x0001393095c0 at pc 0x000100144340 bp 0x00016fdc16b0 sp 0x00016fdc16a8
> READ of size 4 at 0x0001393095c0 thread T0
>     #0 0x10014433c in gui_produce_glyphs xdisp.c:31875
>     #1 0x1000a8bc0 in move_it_in_display_line_to xdisp.c:9813
>     #2 0x10009a5c0 in move_it_to xdisp.c:10373
>     #3 0x1000dcbac in move_it_vertically_backward xdisp.c:10745
>     #4 0x100089ca4 in move_it_by_lines xdisp.c:10940
>     #5 0x10055a7a4 in Fvertical_motion indent.c:2381

Sigh...

> The problem here, it seems to me, is that the redisplay done in
> -[EmacsView layoutSublayersOfLayer:] nsterm.m:8675, frees realized faces
> at a moment that the code doesn't cannot expect.

Right.

> I'm too lazy too look further.  I'm pretty sure the story goes pretty
> much like what we had before with relocating strings.
> 
> Is there a way to prevent freeing realized faces?

Yes: set inhibit_free_realized_faces non-zero (and record
unwind_protect to restore it).

It sounds like we need to do that in probably_quit, at least for NS
builds, because it could trigger redisplay, sigh...
reply via email to
[Prev in Thread] Current Thread [Next in Thread]