From unknown Fri Jun 20 07:20:14 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#43499 <43499@debbugs.gnu.org> To: bug#43499 <43499@debbugs.gnu.org> Subject: Status: 27.1; It is possible for (forward-comment -1) to crash emacs Reply-To: bug#43499 <43499@debbugs.gnu.org> Date: Fri, 20 Jun 2025 14:20:14 +0000 retitle 43499 27.1; It is possible for (forward-comment -1) to crash emacs reassign 43499 emacs submitter 43499 Jeff Norden severity 43499 normal tag 43499 patch thanks From debbugs-submit-bounces@debbugs.gnu.org Fri Sep 18 21:25:46 2020 Received: (at submit) by debbugs.gnu.org; 19 Sep 2020 01:25:46 +0000 Received: from localhost ([127.0.0.1]:45369 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kJRdJ-0004tJ-LX for submit@debbugs.gnu.org; Fri, 18 Sep 2020 21:25:46 -0400 Received: from lists.gnu.org ([209.51.188.17]:54216) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kJRdI-0004tB-5h for submit@debbugs.gnu.org; Fri, 18 Sep 2020 21:25:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39760) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kJRdH-0002lA-W0 for bug-gnu-emacs@gnu.org; Fri, 18 Sep 2020 21:25:44 -0400 Received: from mta.tntech.edu ([149.149.2.87]:28120) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kJRdD-0005ZP-RV for bug-gnu-emacs@gnu.org; Fri, 18 Sep 2020 21:25:43 -0400 Received: from math.tntech.edu (unknown [149.149.102.6]) by mta.tntech.edu (Postfix) with ESMTPS id 403E8300007B for ; Fri, 18 Sep 2020 20:25:36 -0500 (CDT) Received: from norden.tntech.edu ([149.149.102.4] helo=norden.math.tntech.edu) by math.tntech.edu with esmtp (Exim 4.92) (envelope-from ) id 1kJRd7-0001aD-Sk for bug-gnu-emacs@gnu.org; Fri, 18 Sep 2020 20:25:34 -0500 Received: by norden.math.tntech.edu (Postfix, from userid 742) id CC6C72572B73; Fri, 18 Sep 2020 20:25:33 -0500 (CDT) From: Jeff Norden To: bug-gnu-emacs@gnu.org Subject: 27.1; It is possible for (forward-comment -1) to crash emacs Date: Fri, 18 Sep 2020 20:25:33 -0500 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-SA-Spam-Score: 0.0 X-SA-Spam-Report: Spam detection software, running on the system "math.tntech.edu", has NOT identified this incoming email as spam. If you have any questions, contact @@CONTACT_ADDRESS@@ pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 T_SPF_HELO_TEMPERROR SPF: test of HELO record failed (temperror) Received-SPF: pass client-ip=149.149.2.87; envelope-from=jnorden@tntech.edu; helo=mta.tntech.edu X-detected-operating-system: by eggs.gnu.org: First seen = 2020/09/18 21:25:36 X-ACL-Warn: Detected OS = Linux 3.11 and newer [fuzzy] X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --=-=-= Content-Type: text/plain In an unusual circumstance, (forward-comment -1) can move the point before the accessible buffer text. This can even result in the point becoming negative. In the worst-case scenario, emacs becomes completely unresponsive, and it might even be necessary to reboot the computer. Instructions for those who want to verify this bug are below. But the explanation and fix are fairly simple, so I'll start with that. The problem is the following code for forward-comment, from syntax.c starting at line 2542 (emacs-27.1). This is in the 2nd part of the function, which is the code that runs when forward-comment is called with a negative arg to move backwards. I've marked two relevant lines with * and **. if (code == Scomment_fence) { /* Skip until first preceding unquoted comment_fence. */ bool fence_found = 0; ptrdiff_t ini = from, ini_byte = from_byte; while (1) { * DEC_BOTH (from, from_byte); UPDATE_SYNTAX_TABLE_BACKWARD (from); c = FETCH_CHAR_AS_MULTIBYTE (from_byte); if (SYNTAX (c) == Scomment_fence && !char_quoted (from, from_byte)) { fence_found = 1; break; } ** else if (from == stop) break; rarely_quit (++quit_count); } The loop should, I think, be changed to the following. The only change is how from and stop are compared. while (from > stop) { DEC_BOTH (from, from_byte); UPDATE_SYNTAX_TABLE_BACKWARD (from); c = FETCH_CHAR_AS_MULTIBYTE (from_byte); if (SYNTAX (c) == Scomment_fence && !char_quoted (from, from_byte)) { fence_found = 1; break; } rarely_quit (++quit_count); } Analysis: 'stop' is equal to BEGV. 'from' started out at PT, but will already have been decremented once before the above is reached (to check the syntax of the char before the point). This makes it possible for (from == stop) to already be true, and thus (*) can make (from < stop) true the first time it runs. If that happens, the test at (**) will never succeed. This can occur if the char at point-min has comment-fence syntax, and the point is at point-min+1 when (forward-comment -1) is called. --- If this bug is triggerd in a narrowed buffer, and a there is another fence before point-min, then forward-comment will currently return with the point set before BEGV. This is likely to lead to an args-out-of-range error. However, if no fence if found, or if the buffer wasn't narrowed, then 'from' becomes negative. This may result in a segfault, but it can also happen that another fence-comment char will be found in the memory being scanned, and forward-comment returns with the point set to a basically random negative number. It seems that this can cause all hell to break loose, but I didn't figure out the exact mechanism. Emacs can become unresponsive to C-g or any keyboard input. It seems to be constantly updating the display, which may cause the entire window system to hang. --- The first thing I tried was to just change (**) to 'else if (from <= stop)'. The suggested fix above is better, though. It will never try to access any characters before BEGV. It will also put the point at BEGV if a matching fence is found there, which is probably why the original test is placed after the syntax check. An alternative would be to check for (from == stop) before the loop, which is equivalent. I've been using a version of 27.1 with the above change for a few days with no problems. A simple git-patch for this change is also attached. ------------------------------ Here are instructions for verifying this bug. The behavior below is what I've observed under linux with the mate and gnome3 desktops. I don't know what will happen under ms-windows or macos. 1) Please be sure that there are no open applications with unsaved data. Obviously, don't try this on a mission-critical server. 2) The safest thing is to run 'emacs -nw -Q' from a terminal window. Or, use a linux console, as long as you will be able to switch to another console to kill emacs. 3) Open a plain fundamental-mode buffer. Do "M-x modify-syntax-entry @ !" to make the at-sign into a generic fence comment character. Then put @This is a fenced comment@ at the start of the buffer. The first at-sign should be the first character of the buffer. 4) Try 'M-: (forward-comment -1)' with the cursor at the start of the second line. The cursor should move to the beginning of the buffer, verifying that the first line is a comment. 5) Now place the cursor on the 'T' after the first at-sign, so the point is between them, at the 2nd buffer position. Do 'M-: (forward-comment -1)' again, and emacs should be dead. ------------------------------ When I trip this bug, emacs won't respond to C-g or any other key. I can close the terminal window, which kills emacs. If I do the above from a graphical emacs, then my entire desktop freezes, including the mouse. I can recover with ctrl-alt-backspace, but that is often disabled by default. If I switch to a linux console, top shows that both emacs and the window-manager are each using about 100% of a cpu. I can recover by re-starting X from here. Someone unable to get to a console might need to power-cycle the computer. If I do 'M-x toggle-debug-on-error' between steps 4 and 5, then emacs will quickly die with a segfault. If, in step 5, I instead do M-: (cons (forward-comment -1) (point)) I can see in the frozen window that forward-comment did return 't with PT<0. So, except when emacs segfaults, the problem isn't during forward-comment, it's what happens after the negative point-value is returned. AFAICT, there doesn't seem to be a similar problem with (forward-comment +1). ============================== In case you are wondering how I stumbled onto this, in CWEB (the Knuth/Levy literate programming system) sections are defined and referenced with the following syntax: @ One way to highlight these is to set the syntax-table property of the initial '@' and the final '>' to comment-fence, which also prevents the description itself from being interpreted as code. A CWEB file won't ever start with this construct, but the definition of a code section does, and it is useful to temporarily narrow the buffer to a section of code, including its name. When I traced the source of args-out-of-range errors to forward-comment, I realized that narrowing the buffer wasn't even necessary. When I tested that hypothesis, emacs froze up my desktop. -Jeff ============================================================ In GNU Emacs 27.1 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.24.22, cairo version 1.17.3) of 2020-08-28 built on juergen Windowing system distributor 'The X.Org Foundation', version 11.0.12008000 System Description: Manjaro Linux Recent messages: For information about GNU Emacs and the GNU system, type C-h C-a. Configured using: 'configure --prefix=/usr --sysconfdir=/etc --libexecdir=/usr/lib --localstatedir=/var --with-x-toolkit=gtk3 --with-xft --with-wide-int --with-modules --with-cairo --with-harfbuzz 'CFLAGS=-march=x86-64 -mtune=generic -O2 -pipe -fno-plt' CPPFLAGS=-D_FORTIFY_SOURCE=2 LDFLAGS=-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now' Configured features: XPM JPEG TIFF GIF PNG RSVG CAIRO SOUND GPM DBUS GSETTINGS GLIB NOTIFY INOTIFY ACL GNUTLS LIBXML2 FREETYPE HARFBUZZ M17N_FLT LIBOTF ZLIB TOOLKIT_SCROLL_BARS GTK3 X11 XDBE XIM MODULES THREADS LIBSYSTEMD JSON PDUMPER LCMS2 GMP Important settings: value of $LC_COLLATE: C value of $LC_MONETARY: en_US.UTF-8 value of $LC_NUMERIC: en_US.UTF-8 value of $LC_TIME: en_US.UTF-8 value of $LANG: en_US.utf8 locale-coding-system: utf-8-unix Major mode: Lisp Interaction Minor modes in effect: mouse-wheel-mode: t file-name-shadow-mode: t global-font-lock-mode: t font-lock-mode: t blink-cursor-mode: t auto-composition-mode: t auto-encryption-mode: t auto-compression-mode: t line-number-mode: t Load-path shadows: None found. Features: (shadow sort flyspell ispell mail-extr emacsbug message rmc puny dired dired-loaddefs format-spec rfc822 mml easymenu mml-sec password-cache epa derived epg epg-config gnus-util rmail rmail-loaddefs text-property-search time-date subr-x seq byte-opt gv bytecomp byte-compile cconv mm-decode mm-bodies mm-encode mail-parse rfc2231 mailabbrev gmm-utils mailheader cl-loaddefs cl-lib sendmail rfc2047 rfc2045 ietf-drums mm-util mail-prsvr mail-utils jeff-tex jeff-commands jeff-keys win-move jeff-custom tooltip eldoc electric uniquify ediff-hook vc-hooks lisp-float-type mwheel term/x-win x-win term/common-win x-dnd tool-bar dnd fontset image regexp-opt fringe tabulated-list replace newcomment text-mode elisp-mode lisp-mode prog-mode register page tab-bar menu-bar rfn-eshadow isearch timer select scroll-bar mouse jit-lock font-lock syntax facemenu font-core term/tty-colors frame minibuffer cl-generic cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms cp51932 hebrew greek romanian slovak czech european ethiopic indian cyrillic chinese composite charscript charprop case-table epa-hook jka-cmpr-hook help simple abbrev obarray cl-preloaded nadvice loaddefs button faces cus-face macroexp files text-properties overlay sha1 md5 base64 format env code-pages mule custom widget hashtable-print-readable backquote threads dbusbind inotify lcms2 dynamic-setting system-font-setting font-render-setting cairo move-toolbar gtk x-toolkit x multi-tty make-network-process emacs) Memory information: ((conses 16 52204 5081) (symbols 48 18686 1) (strings 32 74127 3714) (string-bytes 1 1711817) (vectors 16 11238) (vector-slots 8 537394 9004) (floats 8 29 30) (intervals 56 203 0) (buffers 1000 11)) --=-=-= Content-Type: text/x-diff Content-Disposition: attachment; filename=0001-Fix-bug-in-forward-comment-that-allowed-the-point-to.patch Content-Transfer-Encoding: base64 RnJvbSA1NzkyZmNlYWQ3YmMzNzllNGQ4NTU3NDZiNTlhZTBhZGU1MWUxMzAzIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQ0KRnJvbTogSmVmZiBOb3JkZW4gPGpub2RlbkB0bnRlY2guZWR1Pg0KRGF0 ZTogRnJpLCAxOCBTZXAgMjAyMCAxOTozNDoxOCAtMDUwMA0KU3ViamVjdDogW1BBVENIXSBGaXgg YnVnIGluIGZvcndhcmQtY29tbWVudCB0aGF0IGFsbG93ZWQgdGhlIHBvaW50IHRvIG1vdmUNCiBi ZWZvcmUgQkVHViwgYW5kIGV2ZW4gYmVjb21lIG5lZ2F0aXZlLg0KDQotLS0NCiBzcmMvc3ludGF4 LmMgfCA0ICstLS0NCiAxIGZpbGUgY2hhbmdlZCwgMSBpbnNlcnRpb24oKyksIDMgZGVsZXRpb25z KC0pDQoNCmRpZmYgLS1naXQgYS9zcmMvc3ludGF4LmMgYi9zcmMvc3ludGF4LmMNCmluZGV4IDdm MGZjMzQuLjNkY2M3ZWMgMTAwNjQ0DQotLS0gYS9zcmMvc3ludGF4LmMNCisrKyBiL3NyYy9zeW50 YXguYw0KQEAgLTI1NDIsNyArMjU0Miw3IEBAIGJldHdlZW4gdGhlbSwgcmV0dXJuIHQ7IG90aGVy d2lzZSByZXR1cm4gbmlsLiAgKi8pDQogCSAgICAgIGJvb2wgZmVuY2VfZm91bmQgPSAwOw0KIAkg ICAgICBwdHJkaWZmX3QgaW5pID0gZnJvbSwgaW5pX2J5dGUgPSBmcm9tX2J5dGU7DQogDQotCSAg ICAgIHdoaWxlICgxKQ0KKwkgICAgICB3aGlsZSAoZnJvbSA+IHN0b3ApDQogCQl7DQogCQkgIGRl Y19ib3RoICgmZnJvbSwgJmZyb21fYnl0ZSk7DQogCQkgIFVQREFURV9TWU5UQVhfVEFCTEVfQkFD S1dBUkQgKGZyb20pOw0KQEAgLTI1NTMsOCArMjU1Myw2IEBAIGJldHdlZW4gdGhlbSwgcmV0dXJu IHQ7IG90aGVyd2lzZSByZXR1cm4gbmlsLiAgKi8pDQogCQkgICAgICBmZW5jZV9mb3VuZCA9IDE7 DQogCQkgICAgICBicmVhazsNCiAJCSAgICB9DQotCQkgIGVsc2UgaWYgKGZyb20gPT0gc3RvcCkN Ci0JCSAgICBicmVhazsNCiAJCSAgcmFyZWx5X3F1aXQgKCsrcXVpdF9jb3VudCk7DQogCQl9DQog CSAgICAgIGlmIChmZW5jZV9mb3VuZCA9PSAwKQ0KLS0gDQoyLjcuNA0KDQo= --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sat Sep 19 05:08:45 2020 Received: (at 43499) by debbugs.gnu.org; 19 Sep 2020 09:08:45 +0000 Received: from localhost ([127.0.0.1]:45639 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kJYrN-0003WT-4z for submit@debbugs.gnu.org; Sat, 19 Sep 2020 05:08:45 -0400 Received: from eggs.gnu.org ([209.51.188.92]:32948) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kJYrL-0003WE-KI for 43499@debbugs.gnu.org; Sat, 19 Sep 2020 05:08:43 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:41941) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kJYrE-0001UG-CJ; Sat, 19 Sep 2020 05:08:36 -0400 Received: from [176.228.60.248] (port=4651 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kJYrD-0003p8-I8; Sat, 19 Sep 2020 05:08:36 -0400 Date: Sat, 19 Sep 2020 12:08:51 +0300 Message-Id: <83pn6i2kws.fsf@gnu.org> From: Eli Zaretskii To: Jeff Norden In-Reply-To: (message from Jeff Norden on Fri, 18 Sep 2020 20:25:33 -0500) Subject: Re: bug#43499: 27.1; It is possible for (forward-comment -1) to crash emacs References: X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 43499 Cc: 43499@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > From: Jeff Norden > Date: Fri, 18 Sep 2020 20:25:33 -0500 > > In an unusual circumstance, (forward-comment -1) can move the point before the > accessible buffer text. This can even result in the point becoming negative. > In the worst-case scenario, emacs becomes completely unresponsive, and it > might even be necessary to reboot the computer. Thanks. In my case, I get a segfault in DEC_BOTH (because it attempts to dereference a pointer outside of buffer text). > The loop should, I think, be changed to the following. The only change is how > from and stop are compared. > > while (from > stop) > { > DEC_BOTH (from, from_byte); > UPDATE_SYNTAX_TABLE_BACKWARD (from); > c = FETCH_CHAR_AS_MULTIBYTE (from_byte); > if (SYNTAX (c) == Scomment_fence > && !char_quoted (from, from_byte)) > { > fence_found = 1; > break; > } > rarely_quit (++quit_count); > } Thanks. I propose a slightly different change below. I think it's somewhat better, because it does the comparison only once, and the while loop can then run at full speed without testing on each iteration. (It looks like a large change, but almost all of it is just whitespace changes due to re-indentation of the loop.) Do you agree? diff --git a/src/syntax.c b/src/syntax.c index a79ab86..e8b32f5 100644 --- a/src/syntax.c +++ b/src/syntax.c @@ -2545,20 +2545,23 @@ DEFUN ("forward-comment", Fforward_comment, Sforward_comment, 1, 1, 0, bool fence_found = 0; ptrdiff_t ini = from, ini_byte = from_byte; - while (1) + if (from > stop) { - DEC_BOTH (from, from_byte); - UPDATE_SYNTAX_TABLE_BACKWARD (from); - c = FETCH_CHAR_AS_MULTIBYTE (from_byte); - if (SYNTAX (c) == Scomment_fence - && !char_quoted (from, from_byte)) + while (1) { - fence_found = 1; - break; + DEC_BOTH (from, from_byte); + UPDATE_SYNTAX_TABLE_BACKWARD (from); + c = FETCH_CHAR_AS_MULTIBYTE (from_byte); + if (SYNTAX (c) == Scomment_fence + && !char_quoted (from, from_byte)) + { + fence_found = 1; + break; + } + else if (from == stop) + break; + rarely_quit (++quit_count); } - else if (from == stop) - break; - rarely_quit (++quit_count); } if (fence_found == 0) { From debbugs-submit-bounces@debbugs.gnu.org Sat Sep 19 05:10:21 2020 Received: (at 43499) by debbugs.gnu.org; 19 Sep 2020 09:10:21 +0000 Received: from localhost ([127.0.0.1]:45643 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kJYsv-0003ZU-Hc for submit@debbugs.gnu.org; Sat, 19 Sep 2020 05:10:21 -0400 Received: from colin.muc.de ([193.149.48.1]:16817 helo=mail.muc.de) by debbugs.gnu.org with smtp (Exim 4.84_2) (envelope-from ) id 1kJYss-0003Z9-SB for 43499@debbugs.gnu.org; Sat, 19 Sep 2020 05:10:19 -0400 Received: (qmail 84055 invoked by uid 3782); 19 Sep 2020 09:10:12 -0000 Received: from acm.muc.de (p2e5d565a.dip0.t-ipconnect.de [46.93.86.90]) by localhost.muc.de (tmda-ofmipd) with ESMTP; Sat, 19 Sep 2020 11:10:11 +0200 Received: (qmail 6119 invoked by uid 1000); 19 Sep 2020 09:10:11 -0000 Date: Sat, 19 Sep 2020 09:10:11 +0000 To: Jeff Norden Subject: Re: bug#43499: 27.1; It is possible for (forward-comment -1) to crash emacs Message-ID: <20200919091011.GA6057@ACM> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Delivery-Agent: TMDA/1.1.12 (Macallan) From: Alan Mackenzie X-Primary-Address: acm@muc.de X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 43499 Cc: 43499@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hello, Jeff. Thanks for taking the trouble to report this bug, and thanks also for analysing it and proposing a patch to fix it. On Fri, Sep 18, 2020 at 20:25:33 -0500, Jeff Norden wrote: > In an unusual circumstance, (forward-comment -1) can move the point before the > accessible buffer text. This can even result in the point becoming negative. > In the worst-case scenario, emacs becomes completely unresponsive, and it > might even be necessary to reboot the computer. > Instructions for those who want to verify this bug are below. But the > explanation and fix are fairly simple, so I'll start with that. > The problem is the following code for forward-comment, from syntax.c starting > at line 2542 (emacs-27.1). This is in the 2nd part of the function, which is > the code that runs when forward-comment is called with a negative arg to move > backwards. I've marked two relevant lines with * and **. [ Analysis and fix snipped for now. ] > ------------------------------ > Here are instructions for verifying this bug. The behavior below is what I've > observed under linux with the mate and gnome3 desktops. I don't know what > will happen under ms-windows or macos. > 1) Please be sure that there are no open applications with unsaved data. > Obviously, don't try this on a mission-critical server. > 2) The safest thing is to run 'emacs -nw -Q' from a terminal window. Or, use > a linux console, as long as you will be able to switch to another console to > kill emacs. > 3) Open a plain fundamental-mode buffer. Do "M-x modify-syntax-entry @ !" to > make the at-sign into a generic fence comment character. Then put > @This is a fenced comment@ > at the start of the buffer. The first at-sign should be the first character of > the buffer. > 4) Try 'M-: (forward-comment -1)' with the cursor at the start of the second line. > The cursor should move to the beginning of the buffer, verifying that the > first line is a comment. > 5) Now place the cursor on the 'T' after the first at-sign, so the point is > between them, at the 2nd buffer position. Do 'M-: (forward-comment -1)' > again, and emacs should be dead. > ------------------------------ I can confirm that there is a bug, here. When I do the above on Emacs 28 master in a Linux TTY, I get a segfault. I agree with the OP that this needs fixing, and his fix [snipped] is likely a good one. [ .... ] > AFAICT, there doesn't seem to be a similar problem with (forward-comment +1). No. At this level, forward and backwards movement over comments use different code. > ============================== > In case you are wondering how I stumbled onto this, in CWEB (the Knuth/Levy > literate programming system) sections are defined and referenced with the > following syntax: > @ > One way to highlight these is to set the syntax-table property of the initial > '@' and the final '>' to comment-fence, which also prevents the description > itself from being interpreted as code. A CWEB file won't ever start with this > construct, but the definition of a code section does, and it is useful to > temporarily narrow the buffer to a section of code, including its name. > When I traced the source of args-out-of-range errors to forward-comment, I > realized that narrowing the buffer wasn't even necessary. When I tested that > hypothesis, emacs froze up my desktop. Interesting! > -Jeff > ============================================================ > In GNU Emacs 27.1 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.24.22, cairo version 1.17.3) > of 2020-08-28 built on juergen > Windowing system distributor 'The X.Org Foundation', version 11.0.12008000 > System Description: Manjaro Linux -- Alan Mackenzie (Nuremberg, Germany). From debbugs-submit-bounces@debbugs.gnu.org Sat Sep 19 10:48:35 2020 Received: (at control) by debbugs.gnu.org; 19 Sep 2020 14:48:35 +0000 Received: from localhost ([127.0.0.1]:47763 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kJeAF-0005zm-H2 for submit@debbugs.gnu.org; Sat, 19 Sep 2020 10:48:35 -0400 Received: from quimby.gnus.org ([95.216.78.240]:40830) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kJeAE-0005zW-HY for control@debbugs.gnu.org; Sat, 19 Sep 2020 10:48:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Subject:From:To:Message-Id:Date:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=0yiNGFDRGTujzsz8BVCCPTqSV1WA6iz/ErUB35MssUM=; b=LH8mqVhgC7PhL9KRyd+x1xuWXt TQg9O6YDcFTfBx+d2VkrBI/Beg0Tnl/6VMuJ3ziLWioZlYngGxXoCvr/cv/Oo4haWWMTvoyVF9ys3 WYLc6z+baAHzJCcgMHjq4KOdKY2af2zgjtGkqrKThax+Qemfyf7Nw9TP33tEPM0UoPt4=; Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=xo) by quimby with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kJeA6-0005P5-PR for control@debbugs.gnu.org; Sat, 19 Sep 2020 16:48:28 +0200 Date: Sat, 19 Sep 2020 16:48:25 +0200 Message-Id: <87y2l5q0ue.fsf@gnus.org> To: control@debbugs.gnu.org From: Lars Ingebrigtsen Subject: control message for bug #43499 X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: tags 43499 + patch quit Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) tags 43499 + patch quit From debbugs-submit-bounces@debbugs.gnu.org Sat Sep 19 12:24:31 2020 Received: (at 43499) by debbugs.gnu.org; 19 Sep 2020 16:24:31 +0000 Received: from localhost ([127.0.0.1]:47889 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kJff4-0006Of-VS for submit@debbugs.gnu.org; Sat, 19 Sep 2020 12:24:31 -0400 Received: from mta.tntech.edu ([149.149.2.87]:28931) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kJff1-0006OU-2A for 43499@debbugs.gnu.org; Sat, 19 Sep 2020 12:24:29 -0400 Received: from math.tntech.edu (unknown [149.149.102.6]) by mta.tntech.edu (Postfix) with ESMTPS id 9A3013000054; Sat, 19 Sep 2020 11:24:25 -0500 (CDT) Received: from norden.tntech.edu ([149.149.102.4] helo=norden.math.tntech.edu) by math.tntech.edu with esmtp (Exim 4.92) (envelope-from ) id 1kJfex-0003C5-6c; Sat, 19 Sep 2020 11:24:23 -0500 Received: by norden.math.tntech.edu (Postfix, from userid 742) id 27F242572B73; Sat, 19 Sep 2020 11:24:23 -0500 (CDT) From: Jeff Norden To: Eli Zaretskii Subject: Re: bug#43499: 27.1; It is possible for (forward-comment -1) to crash emacs In-Reply-To: <83pn6i2kws.fsf@gnu.org> (message from Eli Zaretskii on Sat, 19 Sep 2020 12:08:51 +0300) Date: Sat, 19 Sep 2020 11:24:23 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-SA-Spam-Score: 0.0 X-SA-Spam-Report: Spam detection software, running on the system "math.tntech.edu", has NOT identified this incoming email as spam. If you have any questions, contact @@CONTACT_ADDRESS@@ pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 T_SPF_HELO_TEMPERROR SPF: test of HELO record failed (temperror) X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 43499 Cc: 43499@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) > Thanks. I propose a slightly different change below. I think it's > somewhat better, because it does the comparison only once, and the > while loop can then run at full speed without testing on each > iteration. (It looks like a large change, but almost all of it is > just whitespace changes due to re-indentation of the loop.) Do you > agree? I think either change will work fine. It doesn't seem to me that either one would be faster, unless I'm missing something. My suggestion was to move the test from the body of the loop (where from == stop is checked each iteration) to the clause of the while statement (as from > stop instead). But, maybe a test before the loop starts makes the code more clear - that is entirely your call. Perhaps I should have included my patch in the body of the email, instead of as an attachment, which might have made my suggestion more clear. Also, it's good that you and Alan are getting segfaults instead of the really horrible behavior that I found. Maybe some change since 27.1 has helped with that. Regards, -Jeff From debbugs-submit-bounces@debbugs.gnu.org Sat Sep 19 12:57:08 2020 Received: (at 43499) by debbugs.gnu.org; 19 Sep 2020 16:57:08 +0000 Received: from localhost ([127.0.0.1]:47963 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kJgAe-000372-F2 for submit@debbugs.gnu.org; Sat, 19 Sep 2020 12:57:08 -0400 Received: from eggs.gnu.org ([209.51.188.92]:55362) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kJgAa-00036Z-SA for 43499@debbugs.gnu.org; Sat, 19 Sep 2020 12:57:07 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:48108) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kJgAV-00065f-3S; Sat, 19 Sep 2020 12:56:59 -0400 Received: from [176.228.60.248] (port=3568 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kJgAL-0008Nw-S6; Sat, 19 Sep 2020 12:56:53 -0400 Date: Sat, 19 Sep 2020 19:56:47 +0300 Message-Id: <835z893dtc.fsf@gnu.org> From: Eli Zaretskii To: Jeff Norden In-Reply-To: (message from Jeff Norden on Sat, 19 Sep 2020 11:24:23 -0500) Subject: Re: bug#43499: 27.1; It is possible for (forward-comment -1) to crash emacs References: X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 43499 Cc: 43499@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > From: Jeff Norden > Cc: 43499@debbugs.gnu.org > Date: Sat, 19 Sep 2020 11:24:23 -0500 > > > Thanks. I propose a slightly different change below. I think it's > > somewhat better, because it does the comparison only once, and the > > while loop can then run at full speed without testing on each > > iteration. (It looks like a large change, but almost all of it is > > just whitespace changes due to re-indentation of the loop.) Do you > > agree? > > I think either change will work fine. It doesn't seem to me that either > one would be faster, unless I'm missing something. My suggestion was to > move the test from the body of the loop (where from == stop is checked > each iteration) to the clause of the while statement (as from > stop > instead). But, maybe a test before the loop starts makes the code more > clear - that is entirely your call. Thanks, I installed my changes. > Perhaps I should have included my patch in the body of the email, > instead of as an attachment, which might have made my suggestion more > clear. It was clear to me, FWIW. From debbugs-submit-bounces@debbugs.gnu.org Thu Nov 12 22:40:27 2020 Received: (at 43499) by debbugs.gnu.org; 13 Nov 2020 03:40:27 +0000 Received: from localhost ([127.0.0.1]:46309 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdPwp-0002nG-1B for submit@debbugs.gnu.org; Thu, 12 Nov 2020 22:40:27 -0500 Received: from mail-ej1-f44.google.com ([209.85.218.44]:36775) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdPwm-0002n1-LW for 43499@debbugs.gnu.org; Thu, 12 Nov 2020 22:40:25 -0500 Received: by mail-ej1-f44.google.com with SMTP id o21so11294605ejb.3 for <43499@debbugs.gnu.org>; Thu, 12 Nov 2020 19:40:24 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:user-agent :mime-version:date:message-id:subject:to:cc; bh=x9KX5a4Dofj8zAyRHrJJx8+FitHFtd93zvsbWVdEnOA=; b=eaogD/IYLQ3dMYRT0dpOge8TNdmDxH6bAGz718KhuFvERguBqZBVTo1UwEDWsXhe1u DdW3eyomW5NPf7arehXknDXTPmDxOWG64hiuP8g3r9IzJB8WCNKZw5jvPMbpDgJZjvlG QA5gmbNvWOTw6swa2t/5d/zELAgN/WEE8FwUbA0yoIqRX/0F5H41TGBozXkb0SwYMRql LGGELNlst6GD97NsyJ8aIl52vYSF5BhNFsTKa5CBAeIZY/4J9FzYgHtpRXJnoUhf0qQG FAC+v+UHefl7lFvFYfDcr56g2O2kH459djCQRnzNQUZh18VXUEIGbsftuVhTyABKAK1m G/pg== X-Gm-Message-State: AOAM532dfAoyYSAhrqy511Mv2UKlt5oyntq3DdluwHKi3KBoItkTv1xe X4jfa70fMIlhAUSOSqzBQusYzNq0+UmxC1jtcdIzJ5tN X-Google-Smtp-Source: ABdhPJxNR7LahCKcx14qFslfe3ym7yBtzyhvvrXdR7pUQrgTuqnSAzf/iDlJR+GqZ6rB40RViBdyAxUSO6VrB96VIEY= X-Received: by 2002:a17:906:804:: with SMTP id e4mr120729ejd.420.1605238819021; Thu, 12 Nov 2020 19:40:19 -0800 (PST) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Thu, 12 Nov 2020 22:40:17 -0500 From: Stefan Kangas In-Reply-To: <835z893dtc.fsf@gnu.org> (Eli Zaretskii's message of "Sat, 19 Sep 2020 19:56:47 +0300") References: <835z893dtc.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Date: Thu, 12 Nov 2020 22:40:17 -0500 Message-ID: Subject: Re: bug#43499: 27.1; It is possible for (forward-comment -1) to crash emacs To: Eli Zaretskii Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.5 (/) X-Debbugs-Envelope-To: 43499 Cc: 43499@debbugs.gnu.org, Jeff Norden X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.5 (/) Eli Zaretskii writes: >> From: Jeff Norden >> Cc: 43499@debbugs.gnu.org >> Date: Sat, 19 Sep 2020 11:24:23 -0500 >> >> > Thanks. I propose a slightly different change below. I think it's >> > somewhat better, because it does the comparison only once, and the >> > while loop can then run at full speed without testing on each >> > iteration. (It looks like a large change, but almost all of it is >> > just whitespace changes due to re-indentation of the loop.) Do you >> > agree? >> >> I think either change will work fine. It doesn't seem to me that either >> one would be faster, unless I'm missing something. My suggestion was to >> move the test from the body of the loop (where from == stop is checked >> each iteration) to the clause of the while statement (as from > stop >> instead). But, maybe a test before the loop starts makes the code more >> clear - that is entirely your call. > > Thanks, I installed my changes. Did that fix the issue? Does that mean that this bug can be closed? From debbugs-submit-bounces@debbugs.gnu.org Fri Nov 13 03:19:18 2020 Received: (at 43499-done) by debbugs.gnu.org; 13 Nov 2020 08:19:18 +0000 Received: from localhost ([127.0.0.1]:46578 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdUIg-0005Yd-He for submit@debbugs.gnu.org; Fri, 13 Nov 2020 03:19:18 -0500 Received: from eggs.gnu.org ([209.51.188.92]:35184) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kdUIe-0005YQ-3y for 43499-done@debbugs.gnu.org; Fri, 13 Nov 2020 03:19:16 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:43181) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kdUIX-00039n-Q1; Fri, 13 Nov 2020 03:19:09 -0500 Received: from [176.228.60.248] (port=1492 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1kdUIX-0004kz-3O; Fri, 13 Nov 2020 03:19:09 -0500 Date: Fri, 13 Nov 2020 10:18:53 +0200 Message-Id: <838sb5y8ia.fsf@gnu.org> From: Eli Zaretskii To: Stefan Kangas In-Reply-To: (message from Stefan Kangas on Thu, 12 Nov 2020 22:40:17 -0500) Subject: Re: bug#43499: 27.1; It is possible for (forward-comment -1) to crash emacs References: <835z893dtc.fsf@gnu.org> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 43499-done Cc: 43499-done@debbugs.gnu.org, jnorden@tntech.edu X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > From: Stefan Kangas > Date: Thu, 12 Nov 2020 22:40:17 -0500 > Cc: Jeff Norden , 43499@debbugs.gnu.org > > > Thanks, I installed my changes. > > Did that fix the issue? Does that mean that this bug can be closed? Yes, done now. From unknown Fri Jun 20 07:20:14 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Fri, 11 Dec 2020 12:24:06 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator