emacs: fdsan: attempted to close file descriptor 2, expected to be unowned, actually owned by FILE* 0xb6c8800c

[Grimler91]

Problem description

When exiting emacs on android 11 a fdsan error is thrown.

Steps to reproduce

Run emacs and then exit.

Expected behavior

Emacs should close without triggering a file descriptor sanitizer error.

Additional information

gdb backtrace from debug build shows:

~ $ gdb --args emacs
GNU gdb (GDB) 10.1
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "arm-linux-androideabi".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from emacs...
(gdb) r
Starting program: /data/data/com.termux/files/usr/bin/emacs 
fdsan: attempted to close file descriptor 2, expected to be unowned, actually owned by FILE* 0xb6c8800c

Program received signal SIGABRT, Aborted.
0xb65569e8 in fdsan_error(char const*, ...) () from /apex/com.android.runtime/lib/bionic/libc.so
(gdb) bt
#0  0xb65569e8 in fdsan_error(char const*, ...) () from /apex/com.android.runtime/lib/bionic/libc.so
#1  0xb65566fe in android_fdsan_close_with_tag () from /apex/com.android.runtime/lib/bionic/libc.so
#2  0xb65963c0 in __sclose () from /apex/com.android.runtime/lib/bionic/libc.so
#3  0xb6596f24 in __FILE_close(__sFILE*) () from /apex/com.android.runtime/lib/bionic/libc.so
#4  0x7f7e6a76 in close_stream (stream=0xb65abe44 <__sF+168>) at /home/builder/.termux-build/emacs/src/lib/close-stream.c:61
#5  0x7f68a872 in close_output_streams () at /home/builder/.termux-build/emacs/src/src/sysdep.c:2840
#6  0xb659f0d6 in __cxa_finalize () from /apex/com.android.runtime/lib/bionic/libc.so
#7  0xb659a7b8 in exit () from /apex/com.android.runtime/lib/bionic/libc.so
#8  0x7f655828 in Fkill_emacs (arg=...) at /home/builder/.termux-build/emacs/src/src/emacs.c:2416
#9  0x7f739ada in funcall_subr (subr=0x7f84b0b8 <Skill_emacs>, numargs=0, args=0xbeffcad8) at /home/builder/.termux-build/emacs/src/src/eval.c:2868
#10 0x7f738a02 in Ffuncall (nargs=1, args=0xbeffcad4) at /home/builder/.termux-build/emacs/src/src/eval.c:2795
#11 0x7f796982 in exec_byte_code (bytestr=..., vector=..., maxdepth=..., args_template=..., nargs=1, args=0xbeffd418) at /home/builder/.termux-build/emacs/src/src/bytecode.c:633
#12 0x7f739eb2 in funcall_lambda (fun=..., nargs=1, arg_vector=0xbeffd414) at /home/builder/.termux-build/emacs/src/src/eval.c:2990
#13 0x7f738a2e in Ffuncall (nargs=2, args=0xbeffd410) at /home/builder/.termux-build/emacs/src/src/eval.c:2797
#14 0x7f796982 in exec_byte_code (bytestr=..., vector=..., maxdepth=..., args_template=..., nargs=1, args=0xbeffddb4) at /home/builder/.termux-build/emacs/src/src/bytecode.c:633
#15 0x7f739eb2 in funcall_lambda (fun=..., nargs=1, arg_vector=0xbeffddb0) at /home/builder/.termux-build/emacs/src/src/eval.c:2990
#16 0x7f738a2e in Ffuncall (nargs=2, args=0xbeffddac) at /home/builder/.termux-build/emacs/src/src/eval.c:2797
#17 0x7f72922a in Ffuncall_interactively (nargs=2, args=0xbeffddac) at /home/builder/.termux-build/emacs/src/src/callint.c:254
#18 0x7f7399fa in funcall_subr (subr=0x7f84dcb0 <Sfuncall_interactively>, numargs=2, args=0xbeffddac) at /home/builder/.termux-build/emacs/src/src/eval.c:2848
#19 0x7f738a02 in Ffuncall (nargs=3, args=0xbeffdda8) at /home/builder/.termux-build/emacs/src/src/eval.c:2795
#20 0x7f72c08a in Fcall_interactively (function=..., record_flag=..., keys=...) at /home/builder/.termux-build/emacs/src/src/callint.c:783
#21 0x7f739b0e in funcall_subr (subr=0x7f84dc98 <Scall_interactively>, numargs=3, args=0xbeffe658) at /home/builder/.termux-build/emacs/src/src/eval.c:2873
#22 0x7f738a02 in Ffuncall (nargs=4, args=0xbeffe654) at /home/builder/.termux-build/emacs/src/src/eval.c:2795
#23 0x7f796982 in exec_byte_code (bytestr=..., vector=..., maxdepth=..., args_template=..., nargs=1, args=0xbeffef14) at /home/builder/.termux-build/emacs/src/src/bytecode.c:633
#24 0x7f739eb2 in funcall_lambda (fun=..., nargs=1, arg_vector=0xbeffef10) at /home/builder/.termux-build/emacs/src/src/eval.c:2990
#25 0x7f738a2e in Ffuncall (nargs=2, args=0xbeffef0c) at /home/builder/.termux-build/emacs/src/src/eval.c:2797
#26 0x7f739576 in call1 (fn=..., arg1=...) at /home/builder/.termux-build/emacs/src/src/eval.c:2655
#27 0x7f65a6b8 in command_loop_1 () at /home/builder/.termux-build/emacs/src/src/keyboard.c:1463
#28 0x7f734222 in internal_condition_case (bfun=0x7f659e3d <command_loop_1>, handlers=..., hfun=0x7f671bcd <cmd_error>) at /home/builder/.termux-build/emacs/src/src/eval.c:1356
#29 0x7f671af4 in command_loop_2 (ignore=...) at /home/builder/.termux-build/emacs/src/src/keyboard.c:1091
#30 0x7f7336fc in internal_catch (tag=..., func=0x7f671ad5 <command_loop_2>, arg=...) at /home/builder/.termux-build/emacs/src/src/eval.c:1117
#31 0x7f659254 in command_loop () at /home/builder/.termux-build/emacs/src/src/keyboard.c:1070
#32 0x7f65912c in recursive_edit_1 () at /home/builder/.termux-build/emacs/src/src/keyboard.c:714
#33 0x7f659424 in Frecursive_edit () at /home/builder/.termux-build/emacs/src/src/keyboard.c:786
#34 0x7f6569d4 in main (argc=1, argv=0xbefff514) at /home/builder/.termux-build/emacs/src/src/emacs.c:2067

And this is the termux-info of the test device:

Application version:
0.108
Packages CPU architecture:
arm
Subscribed repositories:
# sources.list
deb https://grimler.se/termux-packages-24 stable main
# game-repo (sources.list.d/game.list)
deb https://grimler.se/game-packages-24 games stable
# science-repo (sources.list.d/science.list)
deb https://grimler.se/science-packages-24 science stable
# unstable-repo (sources.list.d/unstable.list)
deb https://grimler.se/unstable-packages unstable main
Updatable packages:
emacs/stable 27.2 arm [upgradable from: 27.2]
zlib/stable 1.2.11-5 arm [upgradable from: 1.2.11-5]
Android version:
11
Kernel build information:
Linux localhost 3.10.108-gb16e5db74e4-04854-g2c1ef8b1a50 #2 SMP PREEMPT Sun Mar 28 12:06:49 MDT 2021 armv7l Android
Device manufacturer:
samsung
Device model:
SM-T550

(I am also seeing a FORTIFY: %n not allowed on Android error that I have not been able to find the origin of yet)

[Grimler91]

For emacs I get this minimum program for reproducing the crash:

#include <stdio.h>
int main()
{
  fdopen (2, "w");
  fclose (stderr);
}

Could someone on stock android 11 compile (clang -o test test.c) and run this example and verify that it causes a fdsan error?

(I have only tested on lineageos)

[Grimler91]

The issue here is probably that stderr is not closed through the file descriptor obtained from fdopen.

Changing to

#include <stdio.h>
int main()
{
  FILE *err = fdopen (2, "w");
  fclose (err);
}

works. I have proposed a patch on the emacs mailing list.

[daraul]

@Grimler91 I tested your first suggestion on a stock pixel 3a and didn't get the fdsan error.

Apologies, I realized after the fact that it's running android 10.

[Grimler91]

@daraul thanks, on android 10 the default error level is "warn-once", so logcat should show an error first time you run the program (but only first time, per boot or app start or something)

[ghost]

Fixed in 27.2-1.