bug#77478: Details

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#77478: Details

From:	Kyle Ambroff-Kao
Subject:	bug#77478: Details
Date:	Thu, 03 Apr 2025 07:10:53 +0000

This fixes double-free bug in Emacs daemon mode on Haiku. To reproduce:

1. Start emacs with "emacs --daemon"
2. Create a new frame with "emacsclient -c" and then close it.
3. Create a new frame with "emacsclient -c"

Step 3 will cause the Emacs daemon to crash.

  KERN: debug_server: Thread 3616 entered the debugger: Debugger call:
  `tried to free 0xb960bc9fd0 which points at page 232 which is not an
  allocation first page'

The backtrace from Emacs:
   heap_free(void*) + 0x35 
   BFont_close + 0x4d 
   haikufont_close(font*) + 0x29 (/Code/emacs/src/haikufont.c:893)
   sweep_vectors(void) + 0x1af (/Code/emacs/src/alloc.c:3242)
   garbage_collect(void) + 0x7b3 (/Code/emacs/src/alloc.c:7247)
   Ffuncall(ptrdiff_t, Lisp_Object*) + 0x194 (/Code/emacs/src/eval.c:3084)
   internal_condition_case_n(*, ptrdiff_t, Lisp_Object*, Lisp_Object, *)
   + 0x6c (/Code/emacs/src/eval.c:1699)
   safe_funcall(ptrdiff_t, Lisp_Object*) + 0x50 (/Code/emacs/src/eval.c:3114)
   map_keymap_canonical(Lisp_Object,map_keymap_function_t,Lisp_Object,void*)
   + 0x2b (/Code/emacs/src/keymap.c:608)
   ...

It appears that the BFont has already been closed. I think that the
driver is holding on to the pointer to the freed BFont
(into->be_font). This patch addresses this by setting be_font to NULL so
that this pointer will not be freed again.

The same thing applies to info->metrics and info->glyphs, since just
making this change to be_font wasn't enough to avoid crashes.

With this patch I can open and close as many frames as I want without
crashing.

I don't totally understand the interactions here, and I see there are
similar bugs in other font drivers with different workarounds. For
example, in Bug#16069 which I found from xfont.c:xfont_close, it seems
like there is an attempt to just not free the fonts when GC is invoked.

I think the solution in this patch seems a little simpler, but possibly
means that the fonts are initialized every time the frame count goes
from 0 to 1 or more instead of just once for the life of the daemon.

[Prev in Thread]

Current Thread

[Next in Thread]

bug#77478: Fixes a crash in the Haiku font driver for daemon mode, Kyle Ambroff-Kao, 2025/04/03
- Message not available
  - bug#77479: Fixes a crash in the Haiku font driver for daemon mode, Kyle Ambroff-Kao, 2025/04/03
    - bug#77479: Sorry, Kyle Ambroff-Kao, 2025/04/03
    - bug#77479: Sorry, Michael Albinus, 2025/04/03
- bug#77478: Details, Kyle Ambroff-Kao <=
  - bug#77478: Details, Eli Zaretskii, 2025/04/12
    - bug#77478: Fixes a crash in the Haiku font driver for daemon mode, Eli Zaretskii, 2025/04/26

Prev by Date: bug#77425: 31.0.50; Switching to remote project -> no applicable method
Next by Date: bug#77479: Sorry
Previous by thread: bug#77479: Sorry
Next by thread: bug#77478: Details
Index(es):
- Date
- Thread