bug#15907: 24.3; Emacs crash due to substitute-command-keys and after-change-functions

bug#15907: 24.3; Emacs crash due to substitute-command-keys and after-change-functions

[Artur Malabarba]

Emacs crashes whenever `substitute-command-keys' is invoked and one of
the functions in `after-change-functions' contains a call similar to
`(format "%s" 1)'.

To reproduce:

1. Start `emacs -Q';
2. Evaluate the following two statements:
       (add-hook 'after-change-functions (lambda (&rest a) (format "%s" 1)))
       (substitute-command-keys "\\{emacs-lisp-mode-map}")
3. That's it. Emacs crashes.

The crash doesn't happen if you replace the number 1 with a string or
a symbol, but it does also happen if you replace it with a list.

This is most annoying as it causes a crash whenever `describe-mode' is
invoked.

In GNU Emacs 24.3.1 (i686-pc-linux-gnu, GTK+ Version 3.8.2)
 of 2013-08-06 on -mnt-storage-buildroots-staging-i686-eric
Windowing system distributor `The X.Org Foundation', version 11.0.11403000
Configured using:
 `configure '--prefix=/usr' '--sysconfdir=/etc'
 '--libexecdir=/usr/lib' '--localstatedir=/var'
 '--with-x-toolkit=gtk3' '--with-xft' 'CFLAGS=-march=i686
 -mtune=generic -O2 -pipe -fstack-protector --param=ssp-buffer-size=4'
 'LDFLAGS=-Wl,-O1,--sort-common,--as-needed,-z,relro'
 'CPPFLAGS=-D_FORTIFY_SOURCE=2''
 
Important settings:
  value of $LANG: en_GB.UTF-8
  locale-coding-system: utf-8-unix
  default enable-multibyte-characters: t
  
Major mode: Summary

Minor modes in effect:
  jabber-activity-mode: t
  global-diff-hl-mode: t
  diff-auto-refine-mode: t
  global-undo-tree-mode: t
  undo-tree-mode: t
  show-paren-mode: t
  savehist-mode: t
  electric-indent-mode: t
  global-auto-complete-mode: t
  google-this-mode: t
  erc-list-mode: t
  erc-menu-mode: t
  erc-autojoin-mode: t
  erc-ring-mode: t
  erc-networks-mode: t
  erc-pcomplete-mode: t
  erc-track-mode: t
  erc-track-minor-mode: t
  erc-match-mode: t
  erc-button-mode: t
  erc-fill-mode: t
  erc-stamp-mode: t
  erc-netsplit-mode: t
  erc-irccontrols-mode: t
  erc-noncommands-mode: t
  erc-move-to-prompt-mode: t
  erc-readonly-mode: t
  yas-global-mode: t
  tooltip-mode: t
  mouse-wheel-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  buffer-read-only: t
  transient-mark-mode: t
  abbrev-mode: t
  
Recent input:
C-h m C-x C-o C-x C-k q q q C-h m <down-mouse-1> <mouse-1> 
C-x C-k C-x C-e C-1 s m a <tab> M-- C-1 C-= s m a <tab> 
<return> C-x C-o P P q C-ç M-x r e p o <tab> C-g <f12> 
M-x r e p o r <tab> m <tab> <backspace> b <tab> <r
eturn>

Artur Malabarba

bug#15907: 24.3; Emacs crash due to substitute-command-keys and after-change-functions

[Eli Zaretskii]

> Date: Fri, 15 Nov 2013 21:23:01 +0000 (GMT)
> From: Artur Malabarba <bruce.connor.am@gmail.com>
> 
> Emacs crashes whenever `substitute-command-keys' is invoked and one of
> the functions in `after-change-functions' contains a call similar to
> `(format "%s" 1)'.
> 
> To reproduce:
> 
> 1. Start `emacs -Q';
> 2. Evaluate the following two statements:
>        (add-hook 'after-change-functions (lambda (&rest a) (format "%s" 1)))
>        (substitute-command-keys "\\{emacs-lisp-mode-map}")
> 3. That's it. Emacs crashes.
> 
> The crash doesn't happen if you replace the number 1 with a string or
> a symbol, but it does also happen if you replace it with a list.

It no longer crashes after changes in trunk revision 115119.

> This is most annoying as it causes a crash whenever `describe-mode' is
> invoked.

Since you didn't show any real-life use cases, I'm not sure that the
result is what you wanted, please do check.

bug#15907: 24.3; Emacs crash due to substitute-command-keys and after-change-functions

[Eli Zaretskii]

> Date: Sat, 16 Nov 2013 11:31:16 +0200
> From: Eli Zaretskii <eliz@gnu.org>
> Cc: 15907@debbugs.gnu.org
> 
> > 1. Start `emacs -Q';
> > 2. Evaluate the following two statements:
> >        (add-hook 'after-change-functions (lambda (&rest a) (format "%s" 1)))
> >        (substitute-command-keys "\\{emacs-lisp-mode-map}")
> > 3. That's it. Emacs crashes.
> > 
> > The crash doesn't happen if you replace the number 1 with a string or
> > a symbol, but it does also happen if you replace it with a list.
> 
> It no longer crashes after changes in trunk revision 115119.
> 
> > This is most annoying as it causes a crash whenever `describe-mode' is
> > invoked.
> 
> Since you didn't show any real-life use cases, I'm not sure that the
> result is what you wanted, please do check.

Actually, I think you will like revision 115120 much better.  The
underlying problem was that substitute-command-keys sometimes uses an
internal buffer, whose changes would trigger your after-change
function, which would invoke 'format', which uses the same internal
buffer...

As I now think I know what was your real-life problem, and it is now
fixed, I'm closing this bug report.  Feel free to re-open if there are
some leftovers.

Thanks.

bug#15907: 24.3; Emacs crash due to substitute-command-keys and after-change-functions

[Eli Zaretskii]

> Date: Sat, 16 Nov 2013 11:46:21 +0000
> From: Bruce Connor <bruce.connor.am@gmail.com>
> 
> The real life use case was that having smart-mode-line active meant emacs
> would crash everytime I hit "C-h m".
> 
> However, I patched smart-mode-line with a work around for this yesterday,
> so it's not a use case anymore. I just figured "format" was such a basic
> function that it was good to report it anyway.

You may wish patching your Emacs with the patch below instead.

The problem was not in 'format', but in substitute-command-keys, btw.

Here's how I fixed that:

=== modified file 'src/doc.c'
--- src/doc.c	2013-08-11 01:30:20 +0000
+++ src/doc.c	2013-11-16 10:20:32 +0000
@@ -850,6 +850,7 @@ Otherwise, return a new string, without 
 	  /* This is for computing the SHADOWS arg for describe_map_tree.  */
 	  Lisp_Object active_maps = Fcurrent_active_maps (Qnil, Qnil);
 	  Lisp_Object earlier_maps;
+	  ptrdiff_t count = SPECPDL_INDEX ();
 
 	  changed = 1;
 	  strp += 2;		/* skip \{ or \< */
@@ -886,6 +887,10 @@ Otherwise, return a new string, without 
 	  /* Now switch to a temp buffer.  */
 	  oldbuf = current_buffer;
 	  set_buffer_internal (XBUFFER (Vprin1_to_string_buffer));
+	  /* This is for an unusual case where some after-change
+	     function uses 'format' or 'prin1' or something else that
+	     will thrash Vprin1_to_string_buffer we are using.  */
+	  specbind (Qinhibit_modification_hooks, Qt);
 
 	  if (NILP (tem))
 	    {
@@ -910,6 +915,7 @@ Otherwise, return a new string, without 
 	  tem = Fbuffer_string ();
 	  Ferase_buffer ();
 	  set_buffer_internal (oldbuf);
+	  unbind_to (count, Qnil);
 
 	subst_string:
 	  start = SDATA (tem);

=== modified file 'src/keymap.c'
--- src/keymap.c	2013-08-11 01:30:20 +0000
+++ src/keymap.c	2013-11-16 09:24:19 +0000
@@ -3383,9 +3383,12 @@ describe_map (Lisp_Object map, Lisp_Obje
 
       if (vect[i].shadowed)
 	{
-	  SET_PT (PT - 1);
+	  ptrdiff_t pt = max (PT - 1, BEG);
+
+	  SET_PT (pt);
 	  insert_string ("\n  (that binding is currently shadowed by another mode)");
-	  SET_PT (PT + 1);
+	  pt = min (PT + 1, Z);
+	  SET_PT (pt);
 	}
     }