GNU bug report logs - #80861
`treesit_cursor_helper` segv

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Package: emacs; Reported by: Stéphane Marks <shipmints@HIDDEN>; dated Sun, 19 Apr 2026 11:20:02 UTC; Maintainer for emacs is bug-gnu-emacs@HIDDEN.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 19 Apr 2026 11:19:55 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Apr 19 07:19:55 2026
Received: from localhost ([127.0.0.1]:37029 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1wEQBu-00004v-Fz
	for submit <at> debbugs.gnu.org; Sun, 19 Apr 2026 07:19:55 -0400
Received: from lists1p.gnu.org ([2001:470:142::17]:47728)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <shipmints@HIDDEN>)
 id 1wEQBs-0008WE-PT
 for submit <at> debbugs.gnu.org; Sun, 19 Apr 2026 07:19:53 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <shipmints@HIDDEN>)
 id 1wEQBl-0001BO-AL
 for bug-gnu-emacs@HIDDEN; Sun, 19 Apr 2026 07:19:46 -0400
Received: from mail-vs1-xe31.google.com ([2607:f8b0:4864:20::e31])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <shipmints@HIDDEN>)
 id 1wEQBj-0001En-HW
 for bug-gnu-emacs@HIDDEN; Sun, 19 Apr 2026 07:19:44 -0400
Received: by mail-vs1-xe31.google.com with SMTP id
 ada2fe7eead31-60fce51aa55so511991137.3
 for <bug-gnu-emacs@HIDDEN>; Sun, 19 Apr 2026 04:19:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1776597582; cv=none;
 d=google.com; s=arc-20240605;
 b=A5VAWWmgAgSQu+gLS/4u7+5QqHg9olKiJu+cbU/+AVzuz1XOwg3piBZxNMwHF6jYl6
 GnaD3v7sjj8VElmOLoxPPX6XoWGd1MtfgfVMYiKz72MOx+s8kaZ2wvSMPQT+j9/J+HbG
 5huOtSe2Y/g94vGB5ybkMiJFw2+sHtX+sR0j/vkplny93YZTBLaPaM42Nz86whg6+roF
 wgp/gdrw+f5tTSWxqn5kBT1fnJN0dVoQnPYEbhI8pPVC/ckSfWMgQlcrCJSqN6RxrhYX
 cFKJ7XuQfFn+gc67kOPd4zJAkVDiCKOMni0tX0NCLN1b20cAHpXIEdwjv/+Xa+pOBQaC
 7VQA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605; 
 h=cc:to:subject:message-id:date:from:mime-version:dkim-signature;
 bh=gLGRwr8fWXHO5uZ2fxwWK5p+menIh8eockKYDvMSoRw=;
 fh=rUI4wb1q7xztKUPFHW76WiA5Uv28jSHLFV9kJYDQ0iA=;
 b=XwOjRhinUhRqvkpD4ndCdTpGTIGVr4VzfeIIl8rTGvS0QaCTG6bxPsxln7b8BPSCBL
 poCNLDpcD5w2zWikZbsYxDKl652kbwWr4gOLJl8Y5yk7EF1AFcPZF39CNx99fW46LsvI
 ZyZXD4AUF74dvGlXEy6ivrJN89IeVcbHgaU0Eeq1JMQrMZYjD07ZUaom6tSUY6zj0Am4
 42KQLHGS4IbNL+ags0yqiSNVrSLkLIN9JGMIbQyOnBrUkcQ9n5qPucHwecQErtIdIfhZ
 oFGRxo2w/EUAAi0fn2U22Gw0QSRAYlCnWN1qHidywd3vQHF0P47muFiAXZqArnMnGudc
 NDLA==; darn=gnu.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20251104; t=1776597582; x=1777202382; darn=gnu.org;
 h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject
 :date:message-id:reply-to;
 bh=gLGRwr8fWXHO5uZ2fxwWK5p+menIh8eockKYDvMSoRw=;
 b=ND15BUMhKyXvVzY33EkfK9KBzCWwWKuxDhkuHbW67zjm7kSzFm2YgjnKreFjNCDPT1
 5J0cQq3xF4SvI2H9BvxnFjm6+Zqxn2rX+V1V0RHuYwltBVgzDHeUrUIJ51OArmZaMzhi
 87Rrkvs85yyIxlvWbcagITOEMqvHloV73aZ3E9C9y+RlYSsBpcg4fX8DE0qO0uWKxoOk
 rEt88/P7WNNOXWJaQJjO5fMiI1T8dfalEqjZraLAXQk1eIyPA1yIOo1IW6O4J4jahnuq
 63D8nXRcDxZccKV+bXAOwlVRAgmoesYpjcQeXsrHuIdHyHd5VSN/0PYRLiae5Zeygpfe
 E3TQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20251104; t=1776597582; x=1777202382;
 h=cc:to:subject:message-id:date:from:mime-version:x-gm-gg
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=gLGRwr8fWXHO5uZ2fxwWK5p+menIh8eockKYDvMSoRw=;
 b=ngooaqTAJvSYcNNF+Z3lhNht9Yn2eJv540qTq1/uAJGZgd5fqo8MnRj/okCyDofNOg
 9J3l0/mCDZZ8Wt9lBHCd5RHmqSnfiS39mVJtImMxQh1NqCXi0GScDItE15tZGY/PtA1f
 JlYYZIqbO2AGVl3R/KMcV4p7I4uCEmjIrcFxxO/wDSnOzk+Pi4feDW6Lx7JAE3kIdhjJ
 RVgKCIv2C3ibzcN4lzu4/eEFH/KjGGdulNvPnwgGfXkJsz7+VnOOhPMM5JOiyXWP3nOz
 f9GU3BNRejdwrFL23Ezk8agUF2mScaUjm2fDvklZUOGdUAmCFDSVfXpMH+7xBmqQFuES
 IOMg==
X-Gm-Message-State: AOJu0YyV7p7D35XH4AM7Vu7dXdsdhEOuSl9IdP+vjcyI7rtu6R9z0Raq
 fOoQHfiD1xvNLaEwEYqLPnJuVmHzPykwkr6m0nolfOWNBFxNg0H/GBCAYHYtpys2mwLEwokYr8H
 Rzj9qyyZHkwI9/ljdSzz4qZCs3aknuDBvU7u3
X-Gm-Gg: AeBDiescl5eCphWjrrqPNVDZTvlFrLr7G8lIGHyx3oOWXU5BySFlbEvJNnmVvlPyAzx
 DSdopLgJMJcSlhHA/hKtO/iFy9swFyPx0l/Bud695FVa5az6sX+OmP3WLVPWbh2R/97172aOYwQ
 Y+9Llw2PTvSO9eO5Fxwh4PrC5RXLIppfYMSceATuyPW9j+HqG0vuXy9WWUYKu9T/wge7sA+Z+3f
 lZr2GRa4vyTExjUQJ86dRpGAeCmMNRrtA5qASEN2hHiaULsi+F8tPyIk29X7VjfBNUWh6s/F3pI
 I2GwpNDc2/IwkurU29+aFC9XcGS5PE82Woiat0CL7jHUnRrPv+PCFvJG4PuG89gi+YFNFS/kHlv
 xhM1DyQr3bbvL2DJ+i0jidf8L2gg4LSO/jlbhETbxwBdaeAZIZqypjrI2M0M=
X-Received: by 2002:a05:6102:32ce:b0:606:49d:183f with SMTP id
 ada2fe7eead31-616f773a1f9mr3751525137.26.1776597582058; Sun, 19 Apr 2026
 04:19:42 -0700 (PDT)
MIME-Version: 1.0
From: =?UTF-8?Q?St=C3=A9phane_Marks?= <shipmints@HIDDEN>
Date: Sun, 19 Apr 2026 07:19:31 -0400
X-Gm-Features: AQROBzC48wF0hPApkMD8cjUto5plQqt4ybIXS1MNisyRqSi5b3-ZqZvlcv0lqfw
Message-ID: <CAN+1HbrWwyGHp0xaB9k6QU5iuYxjzaXUTurHm0UHY4_MmqyVww@HIDDEN>
Subject: `treesit_cursor_helper` segv
To: bug-gnu-emacs@HIDDEN
Content-Type: multipart/alternative; boundary="000000000000c99b11064fce5bac"
Received-SPF: pass client-ip=2607:f8b0:4864:20::e31;
 envelope-from=shipmints@HIDDEN; helo=mail-vs1-xe31.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 2.0 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  I've been able to trigger this in a narrowed buffer. It's
 been tricky to create a standalone reproducer, so hopefully the below stack
 info provides a solid clue. In the meantime, I wrapped the code th [...] 
 Content analysis details:   (2.0 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [2001:470:142:0:0:0:0:17 listed in] [list.dnswl.org]
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
 1.0 FORGED_GMAIL_RCVD      'From' gmail.com does not match 'Received'
 headers
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
 provider (shipmints[at]gmail.com)
 0.0 HTML_MESSAGE           BODY: HTML included in message
X-Debbugs-Envelope-To: submit
Cc: Rahul Juliato <rahul.juliato@HIDDEN>, Yuan Fu <casouri@HIDDEN>,
 Juri Linkov <juri@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 1.0 (+)

--000000000000c99b11064fce5bac
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

I've been able to trigger this in a narrowed buffer.  It's been tricky to
create a standalone reproducer, so hopefully the below stack info provides
a solid clue.  In the meantime, I wrapped the code that triggered this with
`without-restriction`.

(lldb) bt
* thread #1, queue =3D 'com.apple.main-thread', stop reason =3D EXC_BAD_ACC=
ESS
(code=3DEXC_I386_GPFLT)
  * frame #0: 0x0000000100a0b325 libtree-sitter.0.26.dylib`ts_node_end_byte
+ 19

^^^^^ This is libtree-sitter 0.26.

    frame #1: 0x00000001003893d2
emacs`treesit_cursor_helper(cursor=3D0x00007ff7bfef3370, node=3DTSNode @
0x00007ff7bfef32f0, parser=3D(i =3D 0x00007fcfb2112475)) at treesit.c:4286:=
22
    frame #2: 0x000000010038d4b0 emacs`Ftreesit_search_forward(start=3D(i =
=3D
0x00007fcfc27dbcfd), predicate=3D(i =3D 0x00007fcfc18f3854), backward=3D(i =
=3D
0x0000000002045270), all=3D(i =3D 0x0000000000000000)) at treesit.c:4885:8
    frame #3: 0x00000001002aa8b7
emacs`funcall_subr(subr=3D0x00000001004d2fb0, numargs=3D3,
args=3D0x00007fcfc81784b0) at eval.c:3258:15
(lldb) up
frame #1: 0x00000001003893d2
emacs`treesit_cursor_helper(cursor=3D0x00007ff7bfef3370, node=3DTSNode @
0x00007ff7bfef32f0, parser=3D(i =3D 0x00007fcfb2112475)) at treesit.c:4286:=
22
   4283 treesit_cursor_helper (TSTreeCursor *cursor, TSNode node,
Lisp_Object parser)
   4284 {
   4285  uint32_t start_pos =3D ts_node_start_byte (node);
-> 4286  uint32_t end_pos =3D ts_node_end_byte (node);
   4287  TSNode root =3D ts_tree_root_node (XTS_PARSER (parser)->tree);
   4288  *cursor =3D ts_tree_cursor_new (root);
   4289  bool success =3D treesit_cursor_helper_1 (cursor, &node, start_pos=
,
(lldb) up
frame #2: 0x000000010038d4b0 emacs`Ftreesit_search_forward(start=3D(i =3D
0x00007fcfc27dbcfd), predicate=3D(i =3D 0x00007fcfc18f3854), backward=3D(i =
=3D
0x0000000002045270), all=3D(i =3D 0x0000000000000000)) at treesit.c:4885:8
   4882
   4883  Lisp_Object return_value =3D Qnil;
   4884  TSTreeCursor cursor;
-> 4885  if (!treesit_cursor_helper (&cursor, XTS_NODE (start)->node,
parser))
   4886    return return_value;
   4887
   4888  specpdl_ref count =3D SPECPDL_INDEX ();

-St=C3=A9phane

--000000000000c99b11064fce5bac
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:monospac=
e">I&#39;ve been able to trigger this in a narrowed buffer.=C2=A0 It&#39;s =
been tricky to create a standalone reproducer, so hopefully the below stack=
 info provides a solid clue.=C2=A0 In the meantime, I wrapped the code that=
 triggered this with `without-restriction`.</div><div class=3D"gmail_defaul=
t" style=3D"font-family:monospace"><br></div><div class=3D"gmail_default" s=
tyle=3D"font-family:monospace">(lldb) bt<br>* thread #1, queue =3D &#39;com=
.apple.main-thread&#39;, stop reason =3D EXC_BAD_ACCESS (code=3DEXC_I386_GP=
FLT)<br>=C2=A0 * frame #0: 0x0000000100a0b325 libtree-sitter.0.26.dylib`ts_=
node_end_byte + 19</div><div class=3D"gmail_default" style=3D"font-family:m=
onospace"><br></div><div class=3D"gmail_default" style=3D"font-family:monos=
pace">^^^^^ This is libtree-sitter 0.26.</div><div class=3D"gmail_default" =
style=3D"font-family:monospace"><br>=C2=A0 =C2=A0 frame #1: 0x0000000100389=
3d2 emacs`treesit_cursor_helper(cursor=3D0x00007ff7bfef3370, node=3DTSNode =
@ 0x00007ff7bfef32f0, parser=3D(i =3D 0x00007fcfb2112475)) at treesit.c:428=
6:22<br>=C2=A0 =C2=A0 frame #2: 0x000000010038d4b0 emacs`Ftreesit_search_fo=
rward(start=3D(i =3D 0x00007fcfc27dbcfd), predicate=3D(i =3D 0x00007fcfc18f=
3854), backward=3D(i =3D 0x0000000002045270), all=3D(i =3D 0x00000000000000=
00)) at treesit.c:4885:8<br>=C2=A0 =C2=A0 frame #3: 0x00000001002aa8b7 emac=
s`funcall_subr(subr=3D0x00000001004d2fb0, numargs=3D3, args=3D0x00007fcfc81=
784b0) at eval.c:3258:15<br>(lldb) up<br>frame #1: 0x00000001003893d2 emacs=
`treesit_cursor_helper(cursor=3D0x00007ff7bfef3370, node=3DTSNode @ 0x00007=
ff7bfef32f0, parser=3D(i =3D 0x00007fcfb2112475)) at treesit.c:4286:22<br>=
=C2=A0 =C2=A04283 treesit_cursor_helper (TSTreeCursor *cursor, TSNode node,=
 Lisp_Object parser)<br>=C2=A0 =C2=A04284 {<br>=C2=A0 =C2=A04285 =C2=A0uint=
32_t start_pos =3D ts_node_start_byte (node);<br>-&gt; 4286 =C2=A0uint32_t =
end_pos =3D ts_node_end_byte (node);<br>=C2=A0 =C2=A04287 =C2=A0TSNode root=
 =3D ts_tree_root_node (XTS_PARSER (parser)-&gt;tree);<br>=C2=A0 =C2=A04288=
 =C2=A0*cursor =3D ts_tree_cursor_new (root);<br>=C2=A0 =C2=A04289 =C2=A0bo=
ol success =3D treesit_cursor_helper_1 (cursor, &amp;node, start_pos,<br>(l=
ldb) up<br>frame #2: 0x000000010038d4b0 emacs`Ftreesit_search_forward(start=
=3D(i =3D 0x00007fcfc27dbcfd), predicate=3D(i =3D 0x00007fcfc18f3854), back=
ward=3D(i =3D 0x0000000002045270), all=3D(i =3D 0x0000000000000000)) at tre=
esit.c:4885:8<br>=C2=A0 =C2=A04882<br>=C2=A0 =C2=A04883 =C2=A0Lisp_Object r=
eturn_value =3D Qnil;<br>=C2=A0 =C2=A04884 =C2=A0TSTreeCursor cursor;<br>-&=
gt; 4885 =C2=A0if (!treesit_cursor_helper (&amp;cursor, XTS_NODE (start)-&g=
t;node, parser))<br>=C2=A0 =C2=A04886 =C2=A0 =C2=A0return return_value;<br>=
=C2=A0 =C2=A04887<br>=C2=A0 =C2=A04888 =C2=A0specpdl_ref count =3D SPECPDL_=
INDEX ();<br></div><div class=3D"gmail_default" style=3D"font-family:monosp=
ace"><br></div><div class=3D"gmail_default" style=3D"font-family:monospace"=
>-St=C3=A9phane</div></div>

--000000000000c99b11064fce5bac--
Acknowledgement sent to Stéphane Marks <shipmints@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs@HIDDEN. Full text available.
Report forwarded to bug-gnu-emacs@HIDDEN:
bug#80861; Package emacs. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Sun, 19 Apr 2026 11:30:03 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.