bug#60096: 29.0.60; Crash in format_mode_line_unwind_data

[martin rudalics <rudalics@gmx.at>]

 > It is needed in this case because it forces redisplay to recompute the
 > window list (in propagate_buffer_redisplay, if not earlier).  If the
 > above is not done, Vwindow_list will be reused, and the problematic
 > (bogus?) windows in it _will_ cause a crash.
 >
 > Specifically, here's what happens:
 >
 >  . We call
 >
 > 	      wset_buffer (w, other_buffer_safely (Fcurrent_buffer ()));
 >
 >  . other_buffer_safely cannot find a single buffer that satisfies the
 >    candidate_buffer condition, so it ends up recreating *scratch*
 >    (whose deletion caused this mess to begin with) by calling
 >    get-scratch-buffer-create in Lisp
 >  . get-scratch-buffer-create calls substitute-command-keys to produce
 >    the blurb we put in the comment at the beginning of *scratch*
 >  . substitute-command-keys uses a temporary buffer to format the
 >    message, and calls kill-buffer to delete that buffer when it's done
 >  . kill-buffer calls replace_buffer_in_windows, which calls
 >    replace-buffer-in-windows in Lisp
 >  . replace-buffer-in-windows calls window-list-1, which calls
 >    window_list, which fills Vwindow_list with windows that have no
 >    buffer:
 >
 >     (gdb) pp Vwindow_list
 >     (#<window 8> #<window 4>)
 >
 >  . one of these windows gets assigned a buffer, eventually, since it's
 >    a selected-window, but the other window stays without a buffer, and
 >    causes a crash in the following redisplay

Thanks for the explanation.  I must have tested with my own version of
'replace-buffer-in-windows' which starts with

   (let ((buffer (window-normalize-buffer buffer-or-name)))
     ;; Don't scan 'window-list-1' unless necessary (often it isn't, for
     ;; example, when killing a temporary buffer).
     (when (> (buffer-windows-count buffer) 0)
       (dolist (window (window-list-1 nil nil t))

But since there's no guarantee that a temporary buffer will not be shown
in a window temporarily, your patch is a bit safer.  Alternatively, we
could exclude windows with a nil buffer in add_window_to_list (think of
the case that within the blurb producing code someone wants to consult
the window list).  In either case, we'd be accepting a temporarily
broken basic invariant - that a live window always shows a live buffer.

Principally, we should never run 'replace-buffer-in-windows' from within
'set-window-configuration'.  That bloated window list is just the tip of
an iceberg here.

 > What about the other parts of the changeset I installed -- do they
 > look okay to you? any comments?

I see

-  return safe_call (1, Qget_scratch_buffer_create);
+  /* This function must return a valid buffer, since it is frequently
+     our last line of defense in the face of the expected buffers
+     becoming dead under our feet.  safe_call below could return nil
+     if recreating *scratch* in Lisp, which does some fancy stuff,
+     signals an error in some weird use case.  */
+  buf = safe_call (1, Qget_scratch_buffer_create);
+  if (NILP (buf))
+    {
+      AUTO_STRING (scratch, "*scratch*");
+      buf = Fget_buffer_create (scratch, Qnil);
+    }
+  return buf;

and

+      Fset_buffer_major_mode (buf);

which look okay to me.  Unless, again, the latter would try to deal with
the window list or do some other nasty stuff.  Then other_buffer_safely
should not be allowed to recreate *scratch* but rather some fallback
buffer in fundamental mode with no hooks run and any buffer lists having
it as single element.

martin