You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Kitty sometimes crashes due to a segfault when clicking on a hyperlink of the hyperlinked_grep kitten. Running kitty with asan (always) reports a use-after-free (an old window pointer seems to be used maybe? (the pointer before the realloc in kitty/state.c:271)).
To Reproduce
Steps to reproduce the behavior:
Write the provided example config file (see Additional context) for open-actions.conf
Run the hyperlinked_grep kitten (kitty +kitten hyperlinked_grep test)
Click on a result line (not on the file name)
A use-after-free occurs
Environment details
kitty 0.26.2 (1c44da2b4a) created by Kovid Goyal
Linux sinkpad 5.19.9-zen1-1-zen #1 ZEN SMP PREEMPT_DYNAMIC Thu, 15 Sep 2022 16:08:24 +0000 x86_64
Arch Linux 5.19.9-zen1-1-zen (/dev/tty)
DISTRIB_ID="Arch"
DISTRIB_RELEASE="rolling"
DISTRIB_DESCRIPTION="Arch Linux"
Running under: Wayland
Frozen: False
Paths:
kitty: /home/s/repos/kitty/kitty/launcher/kitty
base dir: /home/s/repos/kitty
extensions dir: /home/s/repos/kitty/kitty
system shell: /bin/zsh
Config options different from defaults:
Important environment variables seen by the kitty process:
PATH /home/s/repos/kitty/kitty/launcher:/home/s/.local/bin:/home/s/.cargo/bin:/home/s/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/opt/devkitpro/tools/bin:/media/data/intelFPGA_lite/20.1/quartus/bin:/usr/local/sbin:/usr/local/bin:/usr/bin:/home/s/.local/share/npm/bin:/home/s/.dotnet/tools:/var/lib/flatpak/exports/bin:/usr/lib/jvm/default/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl:/home/s/.local/share/JetBrains/Toolbox/scripts
LANG en_US.UTF-8
EDITOR nvim
SHELL /bin/zsh
DISPLAY :1
WAYLAND_DISPLAY wayland-0
USER s
XCURSOR_SIZE 24
LC_MONETARY de_DE.UTF-8
LC_NUMERIC de_DE.UTF-8
LC_TIME de_DE.UTF-8
XDG_DATA_DIRS /home/s/.local/share/flatpak/exports/share:/var/lib/flatpak/exports/share:/usr/local/share:/usr/share
XDG_SEAT seat0
LC_MEASUREMENT de_DE.UTF-8
XDG_SEAT_PATH /org/freedesktop/DisplayManager/Seat0
XDG_SESSION_CLASS user
XDG_SESSION_PATH /org/freedesktop/DisplayManager/Session1
XDG_CURRENT_DESKTOP KDE
XDG_RUNTIME_DIR /run/user/1000
XDG_VTNR 1
XDG_SESSION_DESKTOP KDE
XDG_CONFIG_HOME /home/s/.config
XDG_SESSION_TYPE wayland
XDG_SESSION_ID 2
XDG_CONFIG_DIRS /home/s/.config/kdedefaults:/etc/xdg
XDG_CACHE_HOME /home/s/.cache
XDG_DATA_HOME /home/s/.local/share
Additional context
minimal config (based on the example config) .config/kitty/open-actions.conf:
protocol file
fragment_matches [0-9]+
action launch --type=overlay vim +${FRAGMENT} ${FILE_PATH}
no kitty.conf is needed
asan output (latest git revision of kitty):
=================================================================
==108303==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a0000966f8 at pc 0x7f139d1edbcc bp 0x7fff413a9aa0 sp 0x7fff413a9a90
WRITE of size 32 at 0x61a0000966f8 thread T0
#0 0x7f139d1edbcb in send_pending_click_to_window kitty/mouse.c:496
#1 0x7f139d297f5d in send_pending_click_to_window_id kitty/state.c:596
#2 0x7f139bc1a54d in dispatchTimers glfw/backend_utils.c:209
#3 0x7f139bc1ad90 in pollForEvents glfw/backend_utils.c:310
#4 0x7f139bbe2320 in handleEvents glfw/wl_window.c:796
#5 0x7f139bbe9fd0 in _glfwPlatformWaitEvents glfw/wl_window.c:1309
#6 0x7f139bbd691a in _glfwPlatformRunMainLoop glfw/main_loop.h:30
#7 0x7f139bbb3cff in glfwRunMainLoop glfw/init.c:355
#8 0x7f139d158e02 in run_main_loop kitty/glfw.c:1590
#9 0x7f139d0a57b5 in main_loop kitty/child-monitor.c:1150
#10 0x7f13a05f96b3 (/usr/lib/libpython3.10.so.1.0+0x1596b3)
#11 0x7f13a05e65b9 in _PyEval_EvalFrameDefault (/usr/lib/libpython3.10.so.1.0+0x1465b9)
#12 0x7f13a05f6e28 in _PyFunction_Vectorcall (/usr/lib/libpython3.10.so.1.0+0x156e28)
#13 0x7f13a05e6185 in _PyEval_EvalFrameDefault (/usr/lib/libpython3.10.so.1.0+0x146185)
#14 0x7f13a05ef53a in _PyObject_FastCallDictTstate (/usr/lib/libpython3.10.so.1.0+0x14f53a)
#15 0x7f13a05ffb8c in _PyObject_Call_Prepend (/usr/lib/libpython3.10.so.1.0+0x15fb8c)
#16 0x7f13a06cbf01 (/usr/lib/libpython3.10.so.1.0+0x22bf01)
#17 0x7f13a05f024a in _PyObject_MakeTpCall (/usr/lib/libpython3.10.so.1.0+0x15024a)
#18 0x7f13a05eafab in _PyEval_EvalFrameDefault (/usr/lib/libpython3.10.so.1.0+0x14afab)
#19 0x7f13a05f6e28 in _PyFunction_Vectorcall (/usr/lib/libpython3.10.so.1.0+0x156e28)
#20 0x7f13a05e6185 in _PyEval_EvalFrameDefault (/usr/lib/libpython3.10.so.1.0+0x146185)
#21 0x7f13a05f6e28 in _PyFunction_Vectorcall (/usr/lib/libpython3.10.so.1.0+0x156e28)
#22 0x7f13a05e6185 in _PyEval_EvalFrameDefault (/usr/lib/libpython3.10.so.1.0+0x146185)
#23 0x7f13a05f6e28 in _PyFunction_Vectorcall (/usr/lib/libpython3.10.so.1.0+0x156e28)
#24 0x7f13a05e6185 in _PyEval_EvalFrameDefault (/usr/lib/libpython3.10.so.1.0+0x146185)
#25 0x7f13a05e4dcf (/usr/lib/libpython3.10.so.1.0+0x144dcf)
#26 0x7f13a0693fb3 in PyEval_EvalCode (/usr/lib/libpython3.10.so.1.0+0x1f3fb3)
#27 0x7f13a069a29a (/usr/lib/libpython3.10.so.1.0+0x1fa29a)
#28 0x7f13a05f701e (/usr/lib/libpython3.10.so.1.0+0x15701e)
#29 0x7f13a05e6185 in _PyEval_EvalFrameDefault (/usr/lib/libpython3.10.so.1.0+0x146185)
#30 0x7f13a05f6e28 in _PyFunction_Vectorcall (/usr/lib/libpython3.10.so.1.0+0x156e28)
#31 0x7f13a05e6185 in _PyEval_EvalFrameDefault (/usr/lib/libpython3.10.so.1.0+0x146185)
#32 0x7f13a05f6e28 in _PyFunction_Vectorcall (/usr/lib/libpython3.10.so.1.0+0x156e28)
#33 0x7f13a06b7da6 (/usr/lib/libpython3.10.so.1.0+0x217da6)
#34 0x7f13a0536d6c (/usr/lib/libpython3.10.so.1.0+0x96d6c)
#35 0x55902a7289f6 in run_embedded kitty/launcher/main.c:203
#36 0x55902a729839 in main kitty/launcher/main.c:338
#37 0x7f139fca328f (/usr/lib/libc.so.6+0x2328f)
#38 0x7f139fca3349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
#39 0x55902a7273b4 in _start ../sysdeps/x86_64/start.S:115
0x61a0000966f8 is located 120 bytes inside of 1248-byte region [0x61a000096680,0x61a000096b60)
freed by thread T0 here:
#0 0x7f13a0a2f7ea in __interceptor_realloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:85
#1 0x7f139d28d423 in add_window kitty/state.c:271
#2 0x7f139d28db35 in pyadd_window kitty/state.c:1255
#3 0x7f13a05f6997 (/usr/lib/libpython3.10.so.1.0+0x156997)
previously allocated by thread T0 here:
#0 0x7f13a0a2f7ea in __interceptor_realloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:85
#1 0x7f139d28d423 in add_window kitty/state.c:271
#2 0x7f139d28db35 in pyadd_window kitty/state.c:1255
#3 0x7f13a05f6997 (/usr/lib/libpython3.10.so.1.0+0x156997)
SUMMARY: AddressSanitizer: heap-use-after-free kitty/mouse.c:496 in send_pending_click_to_window
Shadow bytes around the buggy address:
0x0c348000ac80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348000ac90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348000aca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348000acb0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c348000acc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c348000acd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]
0x0c348000ace0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348000acf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348000ad00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348000ad10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348000ad20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==108303==ABORTING
The text was updated successfully, but these errors were encountered:
Describe the bug
Kitty sometimes crashes due to a segfault when clicking on a hyperlink of the hyperlinked_grep kitten. Running kitty with asan (always) reports a use-after-free (an old window pointer seems to be used maybe? (the pointer before the realloc in
kitty/state.c:271
)).To Reproduce
Steps to reproduce the behavior:
hyperlinked_grep
kitten (kitty +kitten hyperlinked_grep test
)Environment details
Additional context
minimal config (based on the example config)
.config/kitty/open-actions.conf
:no
kitty.conf
is neededasan output (latest git revision of kitty):
The text was updated successfully, but these errors were encountered: