GNU bug report logs - #15907
24.3; Emacs crash due to substitute-command-keys and after-change-functions

Previous Next

Package: emacs;

Reported by: Artur Malabarba <bruce.connor.am <at> gmail.com>

Date: Fri, 15 Nov 2013 22:06:01 UTC

Severity: normal

Found in version 24.3

Done: Eli Zaretskii <eliz <at> gnu.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 15907 in the body.
You can then email your comments to 15907 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-gnu-emacs <at> gnu.org:
bug#15907; Package emacs. (Fri, 15 Nov 2013 22:06:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Artur Malabarba <bruce.connor.am <at> gmail.com>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs <at> gnu.org. (Fri, 15 Nov 2013 22:06:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Artur Malabarba <bruce.connor.am <at> gmail.com>
To: bug-gnu-emacs <at> gnu.org
Subject: 24.3; Emacs crash due to substitute-command-keys and
 after-change-functions
Date: Fri, 15 Nov 2013 21:23:01 +0000 (GMT)

Emacs crashes whenever `substitute-command-keys' is invoked and one of
the functions in `after-change-functions' contains a call similar to
`(format "%s" 1)'.

To reproduce:

1. Start `emacs -Q';
2. Evaluate the following two statements:
       (add-hook 'after-change-functions (lambda (&rest a) (format "%s" 1)))
       (substitute-command-keys "\\{emacs-lisp-mode-map}")
3. That's it. Emacs crashes.

The crash doesn't happen if you replace the number 1 with a string or
a symbol, but it does also happen if you replace it with a list.

This is most annoying as it causes a crash whenever `describe-mode' is
invoked.

In GNU Emacs 24.3.1 (i686-pc-linux-gnu, GTK+ Version 3.8.2)
 of 2013-08-06 on -mnt-storage-buildroots-staging-i686-eric
Windowing system distributor `The X.Org Foundation', version 11.0.11403000
Configured using:
 `configure '--prefix=/usr' '--sysconfdir=/etc'
 '--libexecdir=/usr/lib' '--localstatedir=/var'
 '--with-x-toolkit=gtk3' '--with-xft' 'CFLAGS=-march=i686
 -mtune=generic -O2 -pipe -fstack-protector --param=ssp-buffer-size=4'
 'LDFLAGS=-Wl,-O1,--sort-common,--as-needed,-z,relro'
 'CPPFLAGS=-D_FORTIFY_SOURCE=2''
 
Important settings:
  value of $LANG: en_GB.UTF-8
  locale-coding-system: utf-8-unix
  default enable-multibyte-characters: t
  
Major mode: Summary

Minor modes in effect:
  jabber-activity-mode: t
  global-diff-hl-mode: t
  diff-auto-refine-mode: t
  global-undo-tree-mode: t
  undo-tree-mode: t
  show-paren-mode: t
  savehist-mode: t
  electric-indent-mode: t
  global-auto-complete-mode: t
  google-this-mode: t
  erc-list-mode: t
  erc-menu-mode: t
  erc-autojoin-mode: t
  erc-ring-mode: t
  erc-networks-mode: t
  erc-pcomplete-mode: t
  erc-track-mode: t
  erc-track-minor-mode: t
  erc-match-mode: t
  erc-button-mode: t
  erc-fill-mode: t
  erc-stamp-mode: t
  erc-netsplit-mode: t
  erc-irccontrols-mode: t
  erc-noncommands-mode: t
  erc-move-to-prompt-mode: t
  erc-readonly-mode: t
  yas-global-mode: t
  tooltip-mode: t
  mouse-wheel-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  buffer-read-only: t
  transient-mark-mode: t
  abbrev-mode: t
  
Recent input:
C-h m C-x C-o C-x C-k q q q C-h m <down-mouse-1> <mouse-1> 
C-x C-k C-x C-e C-1 s m a <tab> M-- C-1 C-= s m a <tab> 
<return> C-x C-o P P q C-รง M-x r e p o <tab> C-g <f12> 
M-x r e p o r <tab> m <tab> <backspace> b <tab> <r
eturn>

Artur Malabarba
Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#15907; Package emacs. (Sat, 16 Nov 2013 09:32:01 GMT) Full text and rfc822 format available.

Message #8 received at 15907 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Artur Malabarba <bruce.connor.am <at> gmail.com>
Cc: 15907 <at> debbugs.gnu.org
Subject: Re: bug#15907: 24.3;
 Emacs crash due to substitute-command-keys and after-change-functions
Date: Sat, 16 Nov 2013 11:31:16 +0200

> Date: Fri, 15 Nov 2013 21:23:01 +0000 (GMT)
> From: Artur Malabarba <bruce.connor.am <at> gmail.com>
> 
> Emacs crashes whenever `substitute-command-keys' is invoked and one of
> the functions in `after-change-functions' contains a call similar to
> `(format "%s" 1)'.
> 
> To reproduce:
> 
> 1. Start `emacs -Q';
> 2. Evaluate the following two statements:
>        (add-hook 'after-change-functions (lambda (&rest a) (format "%s" 1)))
>        (substitute-command-keys "\\{emacs-lisp-mode-map}")
> 3. That's it. Emacs crashes.
> 
> The crash doesn't happen if you replace the number 1 with a string or
> a symbol, but it does also happen if you replace it with a list.

It no longer crashes after changes in trunk revision 115119.

> This is most annoying as it causes a crash whenever `describe-mode' is
> invoked.

Since you didn't show any real-life use cases, I'm not sure that the
result is what you wanted, please do check.
Reply sent to Eli Zaretskii <eliz <at> gnu.org>:
You have taken responsibility. (Sat, 16 Nov 2013 10:31:02 GMT) Full text and rfc822 format available.
Notification sent to Artur Malabarba <bruce.connor.am <at> gmail.com>:
bug acknowledged by developer. (Sat, 16 Nov 2013 10:31:03 GMT) Full text and rfc822 format available.

Message #13 received at 15907-done <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: bruce.connor.am <at> gmail.com
Cc: 15907-done <at> debbugs.gnu.org
Subject: Re: bug#15907: 24.3;
 Emacs crash due to substitute-command-keys and after-change-functions
Date: Sat, 16 Nov 2013 12:29:36 +0200

> Date: Sat, 16 Nov 2013 11:31:16 +0200
> From: Eli Zaretskii <eliz <at> gnu.org>
> Cc: 15907 <at> debbugs.gnu.org
> 
> > 1. Start `emacs -Q';
> > 2. Evaluate the following two statements:
> >        (add-hook 'after-change-functions (lambda (&rest a) (format "%s" 1)))
> >        (substitute-command-keys "\\{emacs-lisp-mode-map}")
> > 3. That's it. Emacs crashes.
> > 
> > The crash doesn't happen if you replace the number 1 with a string or
> > a symbol, but it does also happen if you replace it with a list.
> 
> It no longer crashes after changes in trunk revision 115119.
> 
> > This is most annoying as it causes a crash whenever `describe-mode' is
> > invoked.
> 
> Since you didn't show any real-life use cases, I'm not sure that the
> result is what you wanted, please do check.

Actually, I think you will like revision 115120 much better.  The
underlying problem was that substitute-command-keys sometimes uses an
internal buffer, whose changes would trigger your after-change
function, which would invoke 'format', which uses the same internal
buffer...

As I now think I know what was your real-life problem, and it is now
fixed, I'm closing this bug report.  Feel free to re-open if there are
some leftovers.

Thanks.
Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#15907; Package emacs. (Sat, 16 Nov 2013 12:39:02 GMT) Full text and rfc822 format available.

Message #16 received at 15907 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: bruce.connor.am <at> gmail.com
Cc: 15907 <at> debbugs.gnu.org
Subject: Re: bug#15907: 24.3;
 Emacs crash due to substitute-command-keys and after-change-functions
Date: Sat, 16 Nov 2013 14:37:59 +0200

> Date: Sat, 16 Nov 2013 11:46:21 +0000
> From: Bruce Connor <bruce.connor.am <at> gmail.com>
> 
> The real life use case was that having smart-mode-line active meant emacs
> would crash everytime I hit "C-h m".
> 
> However, I patched smart-mode-line with a work around for this yesterday,
> so it's not a use case anymore. I just figured "format" was such a basic
> function that it was good to report it anyway.

You may wish patching your Emacs with the patch below instead.

The problem was not in 'format', but in substitute-command-keys, btw.

Here's how I fixed that:

=== modified file 'src/doc.c'
--- src/doc.c	2013-08-11 01:30:20 +0000
+++ src/doc.c	2013-11-16 10:20:32 +0000
@@ -850,6 +850,7 @@ Otherwise, return a new string, without 
 	  /* This is for computing the SHADOWS arg for describe_map_tree.  */
 	  Lisp_Object active_maps = Fcurrent_active_maps (Qnil, Qnil);
 	  Lisp_Object earlier_maps;
+	  ptrdiff_t count = SPECPDL_INDEX ();
 
 	  changed = 1;
 	  strp += 2;		/* skip \{ or \< */
@@ -886,6 +887,10 @@ Otherwise, return a new string, without 
 	  /* Now switch to a temp buffer.  */
 	  oldbuf = current_buffer;
 	  set_buffer_internal (XBUFFER (Vprin1_to_string_buffer));
+	  /* This is for an unusual case where some after-change
+	     function uses 'format' or 'prin1' or something else that
+	     will thrash Vprin1_to_string_buffer we are using.  */
+	  specbind (Qinhibit_modification_hooks, Qt);
 
 	  if (NILP (tem))
 	    {
@@ -910,6 +915,7 @@ Otherwise, return a new string, without 
 	  tem = Fbuffer_string ();
 	  Ferase_buffer ();
 	  set_buffer_internal (oldbuf);
+	  unbind_to (count, Qnil);
 
 	subst_string:
 	  start = SDATA (tem);

=== modified file 'src/keymap.c'
--- src/keymap.c	2013-08-11 01:30:20 +0000
+++ src/keymap.c	2013-11-16 09:24:19 +0000
@@ -3383,9 +3383,12 @@ describe_map (Lisp_Object map, Lisp_Obje
 
       if (vect[i].shadowed)
 	{
-	  SET_PT (PT - 1);
+	  ptrdiff_t pt = max (PT - 1, BEG);
+
+	  SET_PT (pt);
 	  insert_string ("\n  (that binding is currently shadowed by another mode)");
-	  SET_PT (PT + 1);
+	  pt = min (PT + 1, Z);
+	  SET_PT (pt);
 	}
     }
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sun, 15 Dec 2013 12:24:03 GMT) Full text and rfc822 format available.
This bug report was last modified 10 years and 145 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.