GNU bug report logs - #71012
30.0.50; tree-sitter crash

Previous Next

Package: emacs;

Reported by: Helmut Eller <eller.helmut <at> gmail.com>

Date: Fri, 17 May 2024 13:40:01 UTC

Severity: normal

Found in version 30.0.50

Done: Yuan Fu <casouri <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #32 received at 71012 <at> debbugs.gnu.org (full text, mbox):

From: Yuan Fu <casouri <at> gmail.com>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: 71012 <at> debbugs.gnu.org, Helmut Eller <eller.helmut <at> gmail.com>
Subject: Re: bug#71012: 30.0.50; tree-sitter crash
Date: Sat, 1 Jun 2024 10:43:33 -0700


> On Jun 1, 2024, at 10:15 AM, Yuan Fu <casouri <at> gmail.com> wrote:
> 
> 
> 
>> On May 29, 2024, at 5:28 AM, Eli Zaretskii <eliz <at> gnu.org> wrote:
>> 
>>> From: Yuan Fu <casouri <at> gmail.com>
>>> Date: Tue, 28 May 2024 22:15:05 -0700
>>> Cc: Helmut Eller <eller.helmut <at> gmail.com>,
>>> 71012 <at> debbugs.gnu.org
>>> 
>>> From what I can gather, the crash seems to be because the temp buffer is garbage collected—the inserted lisp.h is a large file, so the temp buffer is probably immediately collected, before Emacs tries to print the node in the next line. I replaced the insert-file-content with some smaller file and it didn’t crash.
>> 
>> It is unthinkable that a buffer is GC'ed while it is being used.
>> 
>>> But that theory has critical flaws: a) Emacs certainly doesn't collect the temp buffer before the with-temp-buffer form returns; b) I can’t crash Emacs in my non-debug build by inserting (garbage-collect) in front of the message line in the example; c) debug build Emacs still crashes even if I enlarge gc-cons-threshold.
>>> 
>>> Eli, is there anything different regarding temp buffers in debug builds?
>> 
>> No.
>> 
>> But note that there are _two_ temporary buffers involved here: one is
>> created in ts-bug.el, and it remains intact and valid; the other is
>> the temporary buffer created by treesit-parse-string.  That one is
>> killed by the time treesit-parse-string returns, so treesit-node-start
>> attempts to access positions of a killed buffer!
>> 
>> So I think this is a bug in treesit-parse-string: it cannot use
>> with-temp-buffer; instead, it should make the buffer into which it
>> inserts the string part of the parser, so that the buffer is killed
>> and GC'ed only when the parser is no longer referenced.  Otherwise the
>> syntax tree returned by treesit-parse-string is unsafe to use.
> 
> I see, you’re absolutely right, thanks for the analysis! On top of that I need to make sure all the treesit function checks for buffer liveness before accessing the buffer. I was under the impression that a killed buffer would keep its content around until it’s collected. Turns out that wasn’t the case.
> 
> Yuan

Pushed the fix to emacs-29.

Yuan
This bug report was last modified 323 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.