GNU bug report logs - #71012
30.0.50; tree-sitter crash

Previous Next

Package: emacs;

Reported by: Helmut Eller <eller.helmut <at> gmail.com>

Date: Fri, 17 May 2024 13:40:01 UTC

Severity: normal

Found in version 30.0.50

Done: Yuan Fu <casouri <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Eli Zaretskii <eliz <at> gnu.org>
To: Yuan Fu <casouri <at> gmail.com>
Cc: 71012 <at> debbugs.gnu.org, eller.helmut <at> gmail.com
Subject: bug#71012: 30.0.50; tree-sitter crash
Date: Wed, 29 May 2024 15:28:20 +0300

> From: Yuan Fu <casouri <at> gmail.com>
> Date: Tue, 28 May 2024 22:15:05 -0700
> Cc: Helmut Eller <eller.helmut <at> gmail.com>,
>  71012 <at> debbugs.gnu.org
> 
> From what I can gather, the crash seems to be because the temp buffer is garbage collected—the inserted lisp.h is a large file, so the temp buffer is probably immediately collected, before Emacs tries to print the node in the next line. I replaced the insert-file-content with some smaller file and it didn’t crash.

It is unthinkable that a buffer is GC'ed while it is being used.

> But that theory has critical flaws: a) Emacs certainly doesn't collect the temp buffer before the with-temp-buffer form returns; b) I can’t crash Emacs in my non-debug build by inserting (garbage-collect) in front of the message line in the example; c) debug build Emacs still crashes even if I enlarge gc-cons-threshold.
> 
> Eli, is there anything different regarding temp buffers in debug builds?

No.

But note that there are _two_ temporary buffers involved here: one is
created in ts-bug.el, and it remains intact and valid; the other is
the temporary buffer created by treesit-parse-string.  That one is
killed by the time treesit-parse-string returns, so treesit-node-start
attempts to access positions of a killed buffer!

So I think this is a bug in treesit-parse-string: it cannot use
with-temp-buffer; instead, it should make the buffer into which it
inserts the string part of the parser, so that the buffer is killed
and GC'ed only when the parser is no longer referenced.  Otherwise the
syntax tree returned by treesit-parse-string is unsafe to use.
This bug report was last modified 323 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.