bug#8219: 23.3; Crash in indirect buffer

bug#8219: 23.3; Crash in indirect buffer

[Chong Yidong]

Just came across this; it is present in (at least) 23.2, and in trunk.
I haven't had time to debug further; any help welcome.  The backtrace is
from trunk.

emacs -Q
M-<
M-x clone-indirect-buffer RET
C-n
C-k
C-x o
C-k   => abort

#0  abort () at emacs.c:372
#1  0x0000000000646ba0 in find_interval (tree=0xc569e0, position=78)
    at intervals.c:635
#2  0x0000000000649c9c in get_property_and_range (pos=78, prop=12679682,
    val=0x7fffffffacd8, start=0x7ffffffface8, end=0x7ffffffface0,
    object=22411973) at intervals.c:2263
#3  0x0000000000651631 in find_composition (pos=78, limit=-1,
    start=0x7ffffffface8, end=0x7ffffffface0, prop=0x7fffffffacd8,
    object=22411973) at composite.c:430
#4  0x0000000000448290 in check_point_in_composition (prev_buf=0x155fac0,
    prev_pt=78, buf=0x155fac0, pt=2) at xdisp.c:11311
#5  0x0000000000448857 in reconsider_clip_changes (w=0x1564480, b=0x155fac0)
    at xdisp.c:11358
#6  0x000000000044f0d7 in redisplay_window (window=22430853, just_this_one_p=0)
    at xdisp.c:13715
#7  0x000000000044addc in redisplay_window_0 (window=22430853) at xdisp.c:12362
#8  0x00000000005dc1dc in internal_condition_case_1 (
    bfun=0x44ad9d <redisplay_window_0>, arg=22430853, handlers=12412566,
    hfun=0x44ad6e <redisplay_window_error>) at eval.c:1453
#9  0x000000000044ad4f in redisplay_windows (window=22430853) at xdisp.c:12342
#10 0x000000000044ad09 in redisplay_windows (window=22430309) at xdisp.c:12336
#11 0x0000000000449e14 in redisplay_internal (preserve_echo_area=0)
    at xdisp.c:11919
#12 0x0000000000447cff in redisplay () at xdisp.c:11139
#13 0x00000000005419ca in read_char (commandflag=1, nmaps=2,
    maps=0x7fffffffdae0, prev_event=12442194, used_mouse_menu=0x7fffffffddb8,
    end_time=0x0) at keyboard.c:2357
#14 0x000000000054f450 in read_key_sequence (keybuf=0x7fffffffde20,
    bufsize=30, prompt=12442194, dont_downcase_last=0,
    can_return_switch_frame=1, fix_current_buffer=1) at keyboard.c:9193
#15 0x000000000053fbae in command_loop_1 () at keyboard.c:1409
#16 0x00000000005dc067 in internal_condition_case (
    bfun=0x53f7f3 <command_loop_1>, handlers=12494210,
    hfun=0x53f0d8 <cmd_error>) at eval.c:1408
#17 0x000000000053f4f4 in command_loop_2 (ignore=12442194) at keyboard.c:1129
#18 0x00000000005dba31 in internal_catch (tag=12490226,
    func=0x53f4ce <command_loop_2>, arg=12442194) at eval.c:1152
#19 0x000000000053f4a7 in command_loop () at keyboard.c:1108
#20 0x000000000053ec0f in recursive_edit_1 () at keyboard.c:731
#21 0x000000000053edc2 in Frecursive_edit () at keyboard.c:793
#22 0x000000000053d0e8 in main (argc=2, argv=0x7fffffffe728) at emacs.c:1684

In GNU Emacs 24.0.50.2 (x86_64-unknown-linux-gnu, GTK+ Version 2.20.1)
 of 2011-03-10 on furball
Windowing system distributor `The X.Org Foundation', version 11.0.10706000
configured using `configure  'CC=gcc' 'CFLAGS=-g''

bug#8219: 23.3; Crash in indirect buffer

[Glenn Morris]

Same as

http://debbugs.gnu.org/cgi/bugreport.cgi?bug=1242

?

bug#8219: 23.3; Crash in indirect buffer

[Chong Yidong]

Glenn Morris <rgm@gnu.org> writes:

> http://debbugs.gnu.org/cgi/bugreport.cgi?bug=1242

I guess we can assume this is the same bug.  So, now we have a
reproducible recipe.

bug#8219: Effect of deletions on indirect buffers (Bug#8219)

[Chong Yidong]

Indirect bufffers are allowed to have their own values of point,
BUF_BEGV, and BUF_ZV (indeed, that's one of their roles).  Their other
attributes inherit from the base buffer, e.g.

#define BUF_Z(buf) ((buf)->text->z)

where `text' points to the base buffer's text object.

Now consider what happens when a deletion is performed in buffer A,
which is the base buffer for an indirect buffer B.  It appears that the
responsible functions, such as del_range_2, only update the attributes
of buffer A, making no effort to update buffer B.

Hence, in the aftermath of a deletion, buffer B's values of PT (and
BUF_BEGV and BUF_ZV) can be larger than BUF_ZV.  This is the proximate
cause of the crash in Bug#8219: there, we have

 if (prev_pt > BUF_BEGV (buf) && prev_pt < BUF_ZV (buf)
     && find_composition (prev_pt, -1, &start, &end, &prop, buffer)

and find_composition aborts because prev_pt is larger than the size of
the buffer.


I'm not sure what the best solution is.  The narrowest fix is to change
find_composition, and the functions it calls, so that it does not abort
when supplied with a position that's beyond BUF_Z.  This might be the
best approach for the emacs-23 branch.

However, I suspect that we have other places in the code that assumes
that if a point is smaller than BUF_ZV, it's necessarily smaller than
BUF_Z---which we now see if not that case.  So, a more comprehensive fix
is needed for the trunk.

Any thoughts?

bug#8219: Effect of deletions on indirect buffers (Bug#8219)

[Chong Yidong]

I have backported the trunk fix to the emacs-23 brach (there seems to be
no safer complete solutions).  Closing Bug#8219 and Bug#1242.