kovidgoyal / kitty

Cross-platform, fast, feature-rich, GPU based terminal
https://sw.kovidgoyal.net/kitty/
GNU General Public License v3.0
24.41k stars 980 forks source link

SIGSEGV when deleting a lot of images at once #7311

Closed Nogesma closed 6 months ago

Nogesma commented 7 months ago

Describe the bug When deleting a lot of images by their image id (I key), kitty segfaults.

I've bisected this the commit that improves the disk cache with lots of small images de92470f0d9674aed1916e7d028f59c5e24d20a4.

The segfault does not happen every time at the same place, and it seems to be caused by a use after free, after an image is deleted.

To Reproduce I can reproduce this using twitch tui:

  1. Run twt -c thebausffs
  2. Input i to enter input mode
  3. Inpute Alt + e to enter emote mode
  4. Scroll with down arrow until a lot of images are loaded, usually loading all emotes until the ones that start with h works.
  5. Quit twt with <esc> + <esc> + q
  6. Kitty segfaults

twitch tui might require some setting up, I can probably create a small program to reproduce it if it's easier than setting up twt for you (it requires a twitch.tv account)

kovidgoyal commented 6 months ago

I'm definitely not going to setup twitch, so please create a reproducer or alternately use --dump-bytes.

If you post the backtrace from the segfault that might also be enough for me to find and fix the issue.

kovidgoyal commented 6 months ago

Also build with ASAN when generating the backtrace that often gives more useful traces. https://sw.kovidgoyal.net/kitty/build/

mfilej commented 6 months ago

I've had kitty crash since (rough guess) 0.31 and it usually happens when undoing a lot of changes at once in neovim (i.e. holding down the u key while neovim does its thing).

After reading this issue I built kitty from source with ./dev.sh build --debug --sanitize.

edit:

@kovidgoyal How should I run kitty to give you the most useful info? Right now I'm running with --dump-bytes=dbg

kovidgoyal commented 6 months ago

kitty --dump-bytes filename.bin

Nogesma commented 6 months ago

Here's the asan backtrace:

=================================================================
==4250==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x519000645e80 at pc 0x76309563365f bp 0x7ffe53a3d010 sp 0x7ffe53a3d000
WRITE of size 8 at 0x519000645e80 thread T0
    #0 0x76309563365e in add_hole kitty/disk-cache.c:253
    #1 0x76309563551f in remove_from_disk kitty/disk-cache.c:262
    #2 0x76309563f6f3 in remove_from_disk_cache kitty/disk-cache.c:529
    #3 0x7630956e108b in remove_from_cache kitty/graphics.c:50
    #4 0x7630956e125e in free_image_resources kitty/graphics.c:145
    #5 0x7630956e27bb in free_image kitty/graphics.c:162
    #6 0x7630956e2fc1 in remove_image kitty/graphics.c:230
    #7 0x7630956e3a45 in filter_refs kitty/graphics.c:1866
    #8 0x7630956f5689 in handle_delete_command kitty/graphics.c:2068
    #9 0x76309571488b in grman_handle_command kitty/graphics.c:2199
    #10 0x7630957ae7bb in screen_handle_graphics_command kitty/screen.c:1006
    #11 0x76309584644c in parse_graphics_code kitty/parse-graphics-command.h:382
    #12 0x763095846516 in dispatch_apc kitty/vt-parser.c:1327
    #13 0x763095842f07 in accumulate_st_terminated_esc_code kitty/vt-parser.c:403
    #14 0x763095843d10 in consume_input kitty/vt-parser.c:1387
    #15 0x763095844926 in run_worker kitty/vt-parser.c:1432
    #16 0x763095847824 in parse_worker kitty/vt-parser.c:1496
    #17 0x7630955f40ee in do_parse kitty/child-monitor.c:440
    #18 0x7630955facf7 in parse_input kitty/child-monitor.c:530
    #19 0x763095605d57 in process_global_state kitty/child-monitor.c:1233
    #20 0x763095605e7c in do_state_check kitty/child-monitor.c:1215
    #21 0x763094344cb4 in dispatchTimers glfw/backend_utils.c:208
    #22 0x763094345544 in pollForEvents glfw/backend_utils.c:309
    #23 0x763094303df8 in handleEvents glfw/wl_window.c:1161
    #24 0x76309430eb3a in _glfwPlatformWaitEvents glfw/wl_window.c:1708
    #25 0x7630942f6950 in _glfwPlatformRunMainLoop glfw/main_loop.h:30
    #26 0x7630942d10d0 in glfwRunMainLoop glfw/init.c:360
    #27 0x7630956c4306 in run_main_loop kitty/glfw.c:2095
    #28 0x7630955ebd14 in main_loop kitty/child-monitor.c:1259
    #29 0x76309a38dd7d  (/usr/lib/libpython3.11.so.1.0+0x18dd7d) (BuildId: bccedd7d3d162c4c6f049f005cb6a50eac9e114e)
    #30 0x76309a374236 in PyObject_Vectorcall (/usr/lib/libpython3.11.so.1.0+0x174236) (BuildId: bccedd7d3d162c4c6f049f005cb6a50eac9e114e)
    #31 0x76309a3665d2 in _PyEval_EvalFrameDefault (/usr/lib/libpython3.11.so.1.0+0x1665d2) (BuildId: bccedd7d3d162c4c6f049f005cb6a50eac9e114e)
    #32 0x76309a38d9af in _PyFunction_Vectorcall (/usr/lib/libpython3.11.so.1.0+0x18d9af) (BuildId: bccedd7d3d162c4c6f049f005cb6a50eac9e114e)
    #33 0x76309a35fdf6 in _PyObject_FastCallDictTstate (/usr/lib/libpython3.11.so.1.0+0x15fdf6) (BuildId: bccedd7d3d162c4c6f049f005cb6a50eac9e114e)
    #34 0x76309a395bdc in _PyObject_Call_Prepend (/usr/lib/libpython3.11.so.1.0+0x195bdc) (BuildId: bccedd7d3d162c4c6f049f005cb6a50eac9e114e)
    #35 0x76309a45a951  (/usr/lib/libpython3.11.so.1.0+0x25a951) (BuildId: bccedd7d3d162c4c6f049f005cb6a50eac9e114e)
    #36 0x76309a35b0db in _PyObject_MakeTpCall (/usr/lib/libpython3.11.so.1.0+0x15b0db) (BuildId: bccedd7d3d162c4c6f049f005cb6a50eac9e114e)
    #37 0x76309a3665d2 in _PyEval_EvalFrameDefault (/usr/lib/libpython3.11.so.1.0+0x1665d2) (BuildId: bccedd7d3d162c4c6f049f005cb6a50eac9e114e)
    #38 0x76309a41fae3  (/usr/lib/libpython3.11.so.1.0+0x21fae3) (BuildId: bccedd7d3d162c4c6f049f005cb6a50eac9e114e)
    #39 0x76309a41f4cb in PyEval_EvalCode (/usr/lib/libpython3.11.so.1.0+0x21f4cb) (BuildId: bccedd7d3d162c4c6f049f005cb6a50eac9e114e)
    #40 0x76309a4358b1  (/usr/lib/libpython3.11.so.1.0+0x2358b1) (BuildId: bccedd7d3d162c4c6f049f005cb6a50eac9e114e)
    #41 0x76309a375129  (/usr/lib/libpython3.11.so.1.0+0x175129) (BuildId: bccedd7d3d162c4c6f049f005cb6a50eac9e114e)
    #42 0x76309a374236 in PyObject_Vectorcall (/usr/lib/libpython3.11.so.1.0+0x174236) (BuildId: bccedd7d3d162c4c6f049f005cb6a50eac9e114e)
    #43 0x76309a3665d2 in _PyEval_EvalFrameDefault (/usr/lib/libpython3.11.so.1.0+0x1665d2) (BuildId: bccedd7d3d162c4c6f049f005cb6a50eac9e114e)
    #44 0x76309a38d9af in _PyFunction_Vectorcall (/usr/lib/libpython3.11.so.1.0+0x18d9af) (BuildId: bccedd7d3d162c4c6f049f005cb6a50eac9e114e)
    #45 0x76309a448556  (/usr/lib/libpython3.11.so.1.0+0x248556) (BuildId: bccedd7d3d162c4c6f049f005cb6a50eac9e114e)
    #46 0x76309a2af706  (/usr/lib/libpython3.11.so.1.0+0xaf706) (BuildId: bccedd7d3d162c4c6f049f005cb6a50eac9e114e)
    #47 0x5b0f1d679a96 in run_embedded kitty/launcher/main.c:215
    #48 0x5b0f1d67b41e in main kitty/launcher/main.c:383
    #49 0x76309a043ccf  (/usr/lib/libc.so.6+0x25ccf) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af)
    #50 0x76309a043d89 in __libc_start_main (/usr/lib/libc.so.6+0x25d89) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af)
    #51 0x5b0f1d678454 in _start (/home/segransm/build/kitty/kitty/launcher/kitty+0x5454) (BuildId: 386063084a18656754283bd6b8081c1ce53de753)

0x519000645e80 is located 0 bytes after 1024-byte region [0x519000645a80,0x519000645e80)
allocated by thread T0 here:
    #0 0x76309aae007a in __interceptor_realloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:85
    #1 0x7630956333b6 in add_hole kitty/disk-cache.c:251
    #2 0x76309563551f in remove_from_disk kitty/disk-cache.c:262
    #3 0x76309563f6f3 in remove_from_disk_cache kitty/disk-cache.c:529
    #4 0x7630956e108b in remove_from_cache kitty/graphics.c:50
    #5 0x7630956e125e in free_image_resources kitty/graphics.c:145
    #6 0x7630956e27bb in free_image kitty/graphics.c:162
    #7 0x7630956e2fc1 in remove_image kitty/graphics.c:230
    #8 0x7630956e3a45 in filter_refs kitty/graphics.c:1866
    #9 0x7630956f5689 in handle_delete_command kitty/graphics.c:2068
    #10 0x76309571488b in grman_handle_command kitty/graphics.c:2199
    #11 0x7630957ae7bb in screen_handle_graphics_command kitty/screen.c:1006
    #12 0x76309584644c in parse_graphics_code kitty/parse-graphics-command.h:382
    #13 0x763095846516 in dispatch_apc kitty/vt-parser.c:1327
    #14 0x763095842f07 in accumulate_st_terminated_esc_code kitty/vt-parser.c:403
    #15 0x763095843d10 in consume_input kitty/vt-parser.c:1387
    #16 0x763095844926 in run_worker kitty/vt-parser.c:1432
    #17 0x763095847824 in parse_worker kitty/vt-parser.c:1496
    #18 0x7630955f40ee in do_parse kitty/child-monitor.c:440
    #19 0x7630955facf7 in parse_input kitty/child-monitor.c:530
    #20 0x763095605d57 in process_global_state kitty/child-monitor.c:1233
    #21 0x763095605e7c in do_state_check kitty/child-monitor.c:1215
    #22 0x763094344cb4 in dispatchTimers glfw/backend_utils.c:208
    #23 0x763094345544 in pollForEvents glfw/backend_utils.c:309
    #24 0x763094303df8 in handleEvents glfw/wl_window.c:1161
    #25 0x76309430eb3a in _glfwPlatformWaitEvents glfw/wl_window.c:1708
    #26 0x7630942f6950 in _glfwPlatformRunMainLoop glfw/main_loop.h:30
    #27 0x7630942d10d0 in glfwRunMainLoop glfw/init.c:360
    #28 0x7630956c4306 in run_main_loop kitty/glfw.c:2095
    #29 0x7630955ebd14 in main_loop kitty/child-monitor.c:1259

SUMMARY: AddressSanitizer: heap-buffer-overflow kitty/disk-cache.c:253 in add_hole
Shadow bytes around the buggy address:
  0x519000645c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x519000645c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x519000645d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x519000645d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x519000645e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x519000645e80:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x519000645f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x519000645f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x519000646000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x519000646080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x519000646100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4250==ABORTING
Nogesma commented 6 months ago

Thanks, I can confirm this fixes it