bug#56553: 29.0.50; ASAN error with fringe bitmaps on NS

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#56553: 29.0.50; ASAN error with fringe bitmaps on NS

From:	Gerd Möllmann
Subject:	bug#56553: 29.0.50; ASAN error with fringe bitmaps on NS
Date:	Thu, 14 Jul 2022 16:18:55 +0200


> On 2022-07-14,, at 15:56 , Eli Zaretskii <eliz@gnu.org> wrote:
> 
>> From: Gerd Möllmann <gerd.moellmann@gmail.com>
>> Date: Thu, 14 Jul 2022 15:03:36 +0200
>> 
>> This is a Spacemacs profile, with a lot of fringe bitmaps.  The error
>> happens right after hitting 'q' on the startup screen, when the first
>> fringe bitmap is displayed.
>> 
>> thread #1: tid = 0x3d47c, 0x0000000103dc4870 
>> libclang_rt.asan_osx_dynamic.dylib`__asan::AsanDie(), queue = 
>> 'com.apple.main-thread', stop reason = Heap buffer overflow
>> 
>> {
>>  "access_size": 2,
>>  "access_type": 0,
>>  "address": 4402845816,
>>  "description": "heap-buffer-overflow",
>>  "instrumentation_class": "AddressSanitizer",
>>  "pc": 4313240244,
>>  "stop_type": "fatal_error"
>> }
>> 
>> frame #5: 0x000000010116d2b4 emacs`ns_define_fringe_bitmap(which=27, 
>> bits=0x00000001066e1860, h=12, w=16) at nsterm.m:2906:20
>>   2903               /* XBM rows are always round numbers of bytes, with any 
>> unused
>>   2904                  bits ignored.  */
>>   2905               int byte = y * (w/8 + (w%8 ? 1 : 0)) + x/8;
>> -> 2906              bool bit = bits[byte] & (0x80 >> x%8);
>>   2907               if (bit)
>>   2908                 [p appendBezierPathWithRect:NSMakeRect (x, y, 1, 1)];
>>   2909             }
>> (lldb) p byte
>> (int) $22 = 12
>> 
>> frame #6: 0x0000000101079128 emacs`init_fringe_bitmap(which=27, 
>> fb=0x00000001066e1850, once_p=0) at fringe.c:1520:2
>>   1517             destroy_fringe_bitmap (which);
>>   1518       
>>   1519             if (rif && rif->define_fringe_bitmap)
>> -> 1520              rif->define_fringe_bitmap (which, fb->bits, fb->height, 
>> fb->width);
>>   1521       
>>   1522             fringe_bitmaps[which] = fb;
>>   1523             if (which >= max_used_fringe_bitmap)
>> (lldb) p *fb
>> (fringe_bitmap) $21 = {
>>  bits = 0x00000001066e1860
>>  height = 12
>>  width = 16
>>  period = 0
>>  align = 0
>>  dynamic = true
>> }
> 
> I don't understand this.  What is the dimension of the bits[] array?
> It is supposed to be 12 * 2, so how come the index 12 causes access
> violation?

I don't understand this either, but it's not an access violation, it's an 
out-of-bounds access of an allocated memory object, AFAIU.

How do you come to the 12 * 2?  Is that in bytes?  I'm asking because, 
confusingly for me, the bits in frame #5 is unsigned short *.  (height * width) 
/ sizeof(char) would be 12*2...

> 
> Who is the caller of init_fringe_bitmap in this case?

frame #7: 0x0000000101078558 emacs`Fdefine_fringe_bitmap(bitmap=-> (struct 
Lisp_Symbol *) $33 = 0x00000001232c81a0, bits=-> (struct Lisp_Vector *) $37 = 
0x000000014efefc70, height=-> (struct Lisp_Symbol *) $40 = 0x0000000101b04020, 
width=-> (EMACS_INT) $42 = 16, align=-> (struct Lisp_Symbol *) $45 = 
0x0000000101b04020) at fringe.c:1660:3
   1657 
   1658   *xfb = fb;
   1659 
-> 1660   init_fringe_bitmap (n, xfb, 0);
   1661 
   1662   return bitmap;
   1663 }

(lldb) frame variable
(Lisp_Object) bitmap = -> (struct Lisp_Symbol *) $18 = 0x00000001232c81a0 {
  i = 0x00000000217c4180
}
(Lisp_Object) bits = -> (struct Lisp_Vector *) $22 = 0x000000014efefc70 {
  i = 0x000000014efefc75
}
(Lisp_Object) height = -> (struct Lisp_Symbol *) $25 = 0x0000000101b04020 {
  i = NULL
}
(Lisp_Object) width = -> (EMACS_INT) $27 = 16 {
  i = 0x0000000000000042
}
(Lisp_Object) align = -> (struct Lisp_Symbol *) $30 = 0x0000000101b04020 {
  i = NULL
}
(int) n = 27
(int) h = 12
(int) i = 0
(int) j = 12
(unsigned short *) b = 0x00000001066e6320
(fringe_bitmap) fb = {
  bits = 0x00000001066e6320
  height = 12
  width = 16
  period = 0
  align = 0
  dynamic = true
}
(fringe_bitmap *) xfb = 0x00000001066e6310
(int) fill1 = 0
(int) fill2 = 0

(lldb) p $18->u.s.name 
(Lisp_Object) $58 = -> (struct Lisp_String *) $60 = 0x000000012279d880 {
  i = 0x000000012279d884
}

(lldb) p $60->u.s
(Lisp_String::(unnamed struct)) $61 = {
  size = 42
  size_byte = 42
  intervals = NULL
  data = 0x0000000150832190 "flycheck-fringe-bitmap-double-arrow-hi-res"
}

[Prev in Thread]

Current Thread

[Next in Thread]

bug#56553: 29.0.50; ASAN error with fringe bitmaps on NS, Gerd Möllmann, 2022/07/14
- bug#56553: 29.0.50; ASAN error with fringe bitmaps on NS, Eli Zaretskii, 2022/07/14
  - bug#56553: 29.0.50; ASAN error with fringe bitmaps on NS, Gerd Möllmann <=
    - bug#56553: 29.0.50; ASAN error with fringe bitmaps on NS, Gerd Möllmann, 2022/07/14
    - bug#56553: 29.0.50; ASAN error with fringe bitmaps on NS, Eli Zaretskii, 2022/07/14
    - bug#56553: 29.0.50; ASAN error with fringe bitmaps on NS, Gerd Möllmann, 2022/07/14
    - bug#56553: 29.0.50; ASAN error with fringe bitmaps on NS, Po Lu, 2022/07/15
    - bug#56553: 29.0.50; ASAN error with fringe bitmaps on NS, Gerd Möllmann, 2022/07/15
    - bug#56553: 29.0.50; ASAN error with fringe bitmaps on NS, Eli Zaretskii, 2022/07/15
    - bug#56553: 29.0.50; ASAN error with fringe bitmaps on NS, Gerd Möllmann, 2022/07/15
    - bug#56553: 29.0.50; ASAN error with fringe bitmaps on NS, Robert Pluim, 2022/07/15
    - bug#56553: 29.0.50; ASAN error with fringe bitmaps on NS, Eli Zaretskii, 2022/07/15
    - bug#56553: 29.0.50; ASAN error with fringe bitmaps on NS, Andreas Schwab, 2022/07/15

Prev by Date: bug#56555: [PATCH] Use compose-mail in submit-emacs-patch
Next by Date: bug#56548: 29.0.50; read-expression-map conflict with read-from-minibuffer and default-value
Previous by thread: bug#56553: 29.0.50; ASAN error with fringe bitmaps on NS
Next by thread: bug#56553: 29.0.50; ASAN error with fringe bitmaps on NS
Index(es):
- Date
- Thread