Michael Albinus <michael.albinus@HIDDEN>
to control <at> debbugs.gnu.org.
Full text available.Received: (at submit) by debbugs.gnu.org; 3 Apr 2025 06:55:52 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 03 02:55:52 2025 Received: from localhost ([127.0.0.1]:60639 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1u0EUS-0005FB-7k for submit <at> debbugs.gnu.org; Thu, 03 Apr 2025 02:55:52 -0400 Received: from lists.gnu.org ([2001:470:142::17]:52188) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <kyle@HIDDEN>) id 1u0EHj-0004br-N1 for submit <at> debbugs.gnu.org; Thu, 03 Apr 2025 02:42:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <kyle@HIDDEN>) id 1u0EHa-00086y-Jf for bug-gnu-emacs@HIDDEN; Thu, 03 Apr 2025 02:42:35 -0400 Received: from fout-a2-smtp.messagingengine.com ([103.168.172.145]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <kyle@HIDDEN>) id 1u0EHY-0001H2-K7 for bug-gnu-emacs@HIDDEN; Thu, 03 Apr 2025 02:42:34 -0400 Received: from phl-compute-05.internal (phl-compute-05.phl.internal [10.202.2.45]) by mailfout.phl.internal (Postfix) with ESMTP id B5F511380102; Thu, 3 Apr 2025 02:42:31 -0400 (EDT) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-05.internal (MEProxy); Thu, 03 Apr 2025 02:42:31 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ambroffkao.com; h=cc:cc:content-type:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=fm3; t=1743662551; x= 1743748951; bh=oWXKG3Tm2QFfcnUNxeqiqf4OG9/4gA5A3qe3u1vtN5k=; b=g QK7aGntES2oXQw9w5nX5biA5/s0jaW+jlB6pKvMRTR+HkIZSFyjBdvhuMiCL3C5f F8QlyTYkVimivTSSh/yGRaVfgESfzCVi7dOhtZNmblYPZD47hGnFHRdsPjfGDxUC 1zS5jgd5CqMLFGFGuUimCQu9Cj/cGF8P37WHls+k+YN6a7GY1fkI1eDIAEsEo0xC SCTilpVeQ0VKZiISjSNv/VWytE7oh4aplCktCWg78fFCHeS6vTqddhF0dHyViGJX j+aqea52yx8CcBjlNOyffA7hcQ5R3sgECN4zradNv/t8ygN5WjPLsPnc5epFnRaN 4Eu6vXthAqiImcE9JXLVg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1743662551; x=1743748951; bh=oWXKG3Tm2QFfcnUNxeqiqf4OG9/4gA5A3qe 3u1vtN5k=; b=gtRVowvgkeJJQ5Yqyt3aV5ULyP+F6MImgKDnm7jL6C3w6EFkfKz 5S86dPMNYqhbfV0nMhmoNp1Dj1rQZxU+taoROm+0UxvphSGrG6+u6h/FCcqidcl2 7QwuG09ODnTp1WGTqlxHwEv9gWOVboMVxdovU+PH46mwBRsnpzmpvPsKWfkGz+mc 5YeybYAGQ5jgrCZCzmCji7e+laHW2pwdO6yYGLjW10mIzDgj8qEZLCmQPO+atRP1 HEFlFfAB7LhLPixsF/KcY1MqJz8s8DZ7pcrbkYBtqi7/gNBe3x9ZYKvg8of+K6Bh bODs+Cxdle/YgNWKweSEqvQjmoWAJgVdZwA== X-ME-Sender: <xms:1y3uZxjOeHMLo-qI-lnw7UVzOQzJb1vHyst1pFNBvcJGSRRegmgsRw> <xme:1y3uZ2Bsr8mRnl1qe8uX1n0qQrldY-0qyFSG2ZMw4AlHsE-K_gW2NO4DbpNOQpJut vizbDHsFmADfObN9zw> X-ME-Received: <xmr:1y3uZxG975qQlwhBcZfwF86mku1tUMh6wd7bfcpGRl53VdQZPlCDjqPH> X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddukeejkeejucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpehffg fhvfevufffjgfkgggtsehttdertddtredtnecuhfhrohhmpefmhihlvgcutehmsghrohhf fhdqmfgrohcuoehkhihlvgesrghmsghrohhffhhkrghordgtohhmqeenucggtffrrghtth gvrhhnpeffkefhteethfejfedtjeejueegieekuedvgfffveeggfffledtgefgfeeigfdv keenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehkhi hlvgesrghmsghrohhffhhkrghordgtohhmpdhnsggprhgtphhtthhopedvpdhmohguvgep shhmthhpohhuthdprhgtphhtthhopehkhihlvgesrghmsghrohhffhhkrghordgtohhmpd hrtghpthhtohepsghughdqghhnuhdqvghmrggtshesghhnuhdrohhrgh X-ME-Proxy: <xmx:1y3uZ2QygKoqFW1loL8fVkA4Traw-bknKIt3Z0cBtWVff-gs4tmoPg> <xmx:1y3uZ-wQTy6GLMPm-G8cCbpNbhgy2srO30EC2CHxe2_auscctMQoyw> <xmx:1y3uZ87YVINZxm2FVEW-fqHi3CsUcyKYiNigdH6JmZumkmESsBjn_w> <xmx:1y3uZzz1bhp52WtnNSchBFRFiLgYuTpYInRIoLIVtQMAjbl6ogYK0A> <xmx:1y3uZ7yI6JtLQUu1_G6ApYEF6eDQaUcwplAUMRTAWvZN1RFwLyuUl-uw> Feedback-ID: id7114994:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 3 Apr 2025 02:42:30 -0400 (EDT) References: <86cydtg3e5.fsf@HIDDEN> User-agent: mu4e 1.8.13; emacs 30.1 From: Kyle Ambroff-Kao <kyle@HIDDEN> To: bug-gnu-emacs@HIDDEN Subject: Re: Fixes a crash in the Haiku font driver for daemon mode Date: Wed, 02 Apr 2025 23:39:44 -0700 In-reply-to: <kyle@HIDDEN> Message-ID: <865xjlg2zu.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=103.168.172.145; envelope-from=kyle@HIDDEN; helo=fout-a2-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.7 (/) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Thu, 03 Apr 2025 02:55:50 -0400 Cc: Kyle Ambroff-Kao <kyle@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.3 (/) Kyle Ambroff-Kao <kyle@HIDDEN> writes: > Tags: patch > > Fix use-after-free bug in the Haiku font driver > > * src/haikufont.c: Set objects freed with haikufont_close to NULL so > they will not be reused, which seems to happen in daemon mode when all > frames have been closed and fonts are garbage collected. > > In GNU Emacs 30.1 (build 2, amd64-portbld-freebsd15.0, GTK+ Version > 3.24.48, cairo version 1.18.2) > System Description: 15.0-CURRENT > > Configured using: > 'configure --disable-build-details --localstatedir=/var --without-gconf > --without-libsystemd --without-selinux --with-x --enable-acl > --with-cairo --with-dbus --with-gif --with-gnutls --with-gsettings > --with-x-toolkit=gtk3 --with-harfbuzz --with-jpeg > --with-file-notification=kqueue --with-lcms2 --without-m17n-flt > --without-imagemagick --with-mailutils --with-modules > --with-native-compilation=aot --with-sound=oss --without-libotf > --without-pgtk --with-png --with-toolkit-scroll-bars --with-sqlite3 > --with-rsvg --with-threads --with-tiff --with-tree-sitter --with-webp > --without-xft --with-xim --with-xml2 --with-xpm --without-xwidgets > --x-libraries=/usr/local/lib --x-includes=/usr/local/include > --prefix=/usr/local --mandir=/usr/local/share/man > --disable-silent-rules --infodir=/usr/local/share/emacs/info/ > --build=amd64-portbld-freebsd15.0 'CFLAGS=-O2 -pipe > -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc13 -isystem > /usr/local/include -fno-strict-aliasing ' 'CPPFLAGS=-isystem > /usr/local/include' 'LDFLAGS= -fstack-protector-strong > -Wl,-rpath=/usr/local/lib/gcc13 -L/usr/local/lib/gcc13 -L/usr/local/lib > '' > > [2. text/patch; haiku-font-double-free.diff]... This fixes double-free bug in Emacs daemon mode on Haiku. To reproduce: 1. Start emacs with "emacs --daemon" 2. Create a new frame with "emacsclient -c" and then close it. 3. Create a new frame with "emacsclient -c" Step 3 will cause the Emacs daemon to crash. KERN: debug_server: Thread 3616 entered the debugger: Debugger call: `tried to free 0xb960bc9fd0 which points at page 232 which is not an allocation first page' The backtrace from Emacs: heap_free(void*) + 0x35 BFont_close + 0x4d haikufont_close(font*) + 0x29 (/Code/emacs/src/haikufont.c:893) sweep_vectors(void) + 0x1af (/Code/emacs/src/alloc.c:3242) garbage_collect(void) + 0x7b3 (/Code/emacs/src/alloc.c:7247) Ffuncall(ptrdiff_t, Lisp_Object*) + 0x194 (/Code/emacs/src/eval.c:3084) internal_condition_case_n(*, ptrdiff_t, Lisp_Object*, Lisp_Object, *) + 0x6c (/Code/emacs/src/eval.c:1699) safe_funcall(ptrdiff_t, Lisp_Object*) + 0x50 (/Code/emacs/src/eval.c:3114) map_keymap_canonical(Lisp_Object,map_keymap_function_t,Lisp_Object,void*) + 0x2b (/Code/emacs/src/keymap.c:608) ... It appears that the BFont has already been closed. I think that the driver is holding on to the pointer to the freed BFont (into->be_font). This patch addresses this by setting be_font to NULL so that this pointer will not be freed again. The same thing applies to info->metrics and info->glyphs, since just making this change to be_font wasn't enough to avoid crashes. With this patch I can open and close as many frames as I want without crashing. I don't totally understand the interactions here, and I see there are similar bugs in other font drivers with different workarounds. For example, in Bug#16069 which I found from xfont.c:xfont_close, it seems like there is an attempt to just not free the fonts when GC is invoked. I think the solution in this patch seems a little simpler, but possibly means that the fonts are initialized every time the frame count goes from 0 to 1 or more instead of just once for the life of the daemon.
Kyle Ambroff-Kao <kyle@HIDDEN>:bug-gnu-emacs@HIDDEN.
Full text available.bug-gnu-emacs@HIDDEN:bug#77479; Package emacs.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.