From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Alan Mackenzie Newsgroups: gmane.emacs.bugs Subject: bug#43499: 27.1; It is possible for (forward-comment -1) to crash emacs Date: Sat, 19 Sep 2020 09:10:11 +0000 Message-ID: <20200919091011.GA6057@ACM> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="30155"; mail-complaints-to="usenet@ciao.gmane.io" Cc: 43499@debbugs.gnu.org To: Jeff Norden Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sat Sep 19 11:11:24 2020 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kJYtw-0007kb-BS for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 19 Sep 2020 11:11:24 +0200 Original-Received: from localhost ([::1]:42448 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kJYtv-0002PB-7g for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 19 Sep 2020 05:11:23 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:40084) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kJYta-0002P2-IX for bug-gnu-emacs@gnu.org; Sat, 19 Sep 2020 05:11:02 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:34098) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kJYta-0001py-9f for bug-gnu-emacs@gnu.org; Sat, 19 Sep 2020 05:11:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kJYta-0003aW-5X for bug-gnu-emacs@gnu.org; Sat, 19 Sep 2020 05:11:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Alan Mackenzie Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 19 Sep 2020 09:11:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 43499 X-GNU-PR-Package: emacs Original-Received: via spool by 43499-submit@debbugs.gnu.org id=B43499.160050662113736 (code B ref 43499); Sat, 19 Sep 2020 09:11:02 +0000 Original-Received: (at 43499) by debbugs.gnu.org; 19 Sep 2020 09:10:21 +0000 Original-Received: from localhost ([127.0.0.1]:45643 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kJYsv-0003ZU-Hc for submit@debbugs.gnu.org; Sat, 19 Sep 2020 05:10:21 -0400 Original-Received: from colin.muc.de ([193.149.48.1]:16817 helo=mail.muc.de) by debbugs.gnu.org with smtp (Exim 4.84_2) (envelope-from ) id 1kJYss-0003Z9-SB for 43499@debbugs.gnu.org; Sat, 19 Sep 2020 05:10:19 -0400 Original-Received: (qmail 84055 invoked by uid 3782); 19 Sep 2020 09:10:12 -0000 Original-Received: from acm.muc.de (p2e5d565a.dip0.t-ipconnect.de [46.93.86.90]) by localhost.muc.de (tmda-ofmipd) with ESMTP; Sat, 19 Sep 2020 11:10:11 +0200 Original-Received: (qmail 6119 invoked by uid 1000); 19 Sep 2020 09:10:11 -0000 Content-Disposition: inline In-Reply-To: X-Delivery-Agent: TMDA/1.1.12 (Macallan) X-Primary-Address: acm@muc.de X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:188372 Archived-At: Hello, Jeff. Thanks for taking the trouble to report this bug, and thanks also for analysing it and proposing a patch to fix it. On Fri, Sep 18, 2020 at 20:25:33 -0500, Jeff Norden wrote: > In an unusual circumstance, (forward-comment -1) can move the point before the > accessible buffer text. This can even result in the point becoming negative. > In the worst-case scenario, emacs becomes completely unresponsive, and it > might even be necessary to reboot the computer. > Instructions for those who want to verify this bug are below. But the > explanation and fix are fairly simple, so I'll start with that. > The problem is the following code for forward-comment, from syntax.c starting > at line 2542 (emacs-27.1). This is in the 2nd part of the function, which is > the code that runs when forward-comment is called with a negative arg to move > backwards. I've marked two relevant lines with * and **. [ Analysis and fix snipped for now. ] > ------------------------------ > Here are instructions for verifying this bug. The behavior below is what I've > observed under linux with the mate and gnome3 desktops. I don't know what > will happen under ms-windows or macos. > 1) Please be sure that there are no open applications with unsaved data. > Obviously, don't try this on a mission-critical server. > 2) The safest thing is to run 'emacs -nw -Q' from a terminal window. Or, use > a linux console, as long as you will be able to switch to another console to > kill emacs. > 3) Open a plain fundamental-mode buffer. Do "M-x modify-syntax-entry @ !" to > make the at-sign into a generic fence comment character. Then put > @This is a fenced comment@ > at the start of the buffer. The first at-sign should be the first character of > the buffer. > 4) Try 'M-: (forward-comment -1)' with the cursor at the start of the second line. > The cursor should move to the beginning of the buffer, verifying that the > first line is a comment. > 5) Now place the cursor on the 'T' after the first at-sign, so the point is > between them, at the 2nd buffer position. Do 'M-: (forward-comment -1)' > again, and emacs should be dead. > ------------------------------ I can confirm that there is a bug, here. When I do the above on Emacs 28 master in a Linux TTY, I get a segfault. I agree with the OP that this needs fixing, and his fix [snipped] is likely a good one. [ .... ] > AFAICT, there doesn't seem to be a similar problem with (forward-comment +1). No. At this level, forward and backwards movement over comments use different code. > ============================== > In case you are wondering how I stumbled onto this, in CWEB (the Knuth/Levy > literate programming system) sections are defined and referenced with the > following syntax: > @ > One way to highlight these is to set the syntax-table property of the initial > '@' and the final '>' to comment-fence, which also prevents the description > itself from being interpreted as code. A CWEB file won't ever start with this > construct, but the definition of a code section does, and it is useful to > temporarily narrow the buffer to a section of code, including its name. > When I traced the source of args-out-of-range errors to forward-comment, I > realized that narrowing the buffer wasn't even necessary. When I tested that > hypothesis, emacs froze up my desktop. Interesting! > -Jeff > ============================================================ > In GNU Emacs 27.1 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.24.22, cairo version 1.17.3) > of 2020-08-28 built on juergen > Windowing system distributor 'The X.Org Foundation', version 11.0.12008000 > System Description: Manjaro Linux -- Alan Mackenzie (Nuremberg, Germany).