From: Jonathan Tomer
Subject: bug#35497: [PATCH v6] Don't rewrite buffer contents after saving by rename
Date: Mon, 6 May 2019 13:48:22 -0700

When `file-precious-flag' is non-nil, files are saved by renaming a
temporary file to the new name; this is an atomic operation on POSIX
so other programs will not see the file in an intermediate state.
Unfortunately, due to a paren-matching error introduced in change
574c05e219476912db3105fa164accd9ba12b35f, we would then write the
contents again in the usual way after this rename.  In addition to
being wasteful, this is a serious bug: the whole point of
`file-precious-flag' is to prevent race conditions with other programs
that might otherwise see an empty file, but with this bug the race is
actually much *more* likely to be visible: the rename will alert any
inotify watchers of a change, and then the subsequent write is very
likely to truncate the file just as those programs start to read it!
* lisp/files.el (basic-save-buffer-2): Don't rewrite file contents
  after saving-by-renaming.
* test/lisp/files-tests.el (files-tests-dont-rewrite-precious-files):
* test/lisp/net/tramp-tests.el (tramp-test10-write-region-file-precious-flag):
  Regression tests for this change.
 lisp/files.el                |  4 ++--
 test/lisp/files-tests.el     | 15 +++++++++++++++
 test/lisp/net/tramp-tests.el | 30 ++++++++++++++++++++++++++++++
 3 files changed, 47 insertions(+), 2 deletions(-)

diff --git a/lisp/files.el b/lisp/files.el
index c05d70a00e..72518e8127 100644
--- a/lisp/files.el
+++ b/lisp/files.el
@@ -5256,7 +5256,7 @@ basic-save-buffer-2
                     (set-file-extended-attributes buffer-file-name
                                                   (nth 1 setmodes)))
                 (set-file-modes buffer-file-name
-                                (logior (car setmodes) 128))))))
+                                (logior (car setmodes) 128)))))
        (let (success)
@@ -5272,7 +5272,7 @@ basic-save-buffer-2
            (and setmodes (not success)
                   (rename-file (nth 2 setmodes) buffer-file-name t)
-                  (setq buffer-backed-up nil))))))
+                  (setq buffer-backed-up nil)))))))
 (declare-function diff-no-select "diff"
diff --git a/test/lisp/files-tests.el b/test/lisp/files-tests.el
index ae8ea41a79..fe2e958f1c 100644
--- a/test/lisp/files-tests.el
+++ b/test/lisp/files-tests.el
@@ -1244,5 +1244,20 @@ files-tests-file-attributes-equal
                     (executable-find (file-name-nondirectory tmpfile))))))
       (delete-file tmpfile))))
+(ert-deftest files-tests-dont-rewrite-precious-files ()
+  "Test that `file-precious-flag' forces files to be saved by
+renaming only, rather than modified in-place."
+  (let* ((temp-file-name (make-temp-file "files-tests"))
+         (advice (lambda (_start _end filename &rest _r)
+                   (should-not (string= filename temp-file-name)))))
+    (unwind-protect
+        (with-current-buffer (find-file-noselect temp-file-name)
+          (advice-add #'write-region :before advice)
+          (setq-local file-precious-flag t)
+          (insert "foobar")
+          (should (null (save-buffer))))
+      (ignore-errors (advice-remove #'write-region advice))
+      (ignore-errors (delete-file temp-file-name)))))
 (provide 'files-tests)
 ;;; files-tests.el ends here
diff --git a/test/lisp/net/tramp-tests.el b/test/lisp/net/tramp-tests.el
index cba697da18..2e25f23b23 100644
--- a/test/lisp/net/tramp-tests.el
+++ b/test/lisp/net/tramp-tests.el
@@ -41,6 +41,7 @@
 ;;; Code:
+(require 'cl-seq)
 (require 'dired)
 (require 'ert)
 (require 'ert-x)
@@ -2270,6 +2271,35 @@ tramp--test-print-duration
        ;; Cleanup.
        (ignore-errors (delete-file tmp-name))))))
+(ert-deftest tramp-test10-write-region-file-precious-flag ()
+    "Check that `file-precious-flag' is respected with Tramp in use."
+    :tags '(:unstable)
+  (skip-unless (tramp--test-enabled))
+  (skip-unless (tramp--test-sh-p))
+  (let* ((tmp-name (tramp--test-make-temp-name))
+         written-files
+        (advice (lambda (_start _end filename &rest _r)
+                  (push filename written-files))))
+    (unwind-protect
+        (with-current-buffer (find-file-noselect tmp-name)
+          ;; Write initial contents.  Adapt `visited-file-modtime'
+          ;; in order to suppress confirmation.
+          (insert "foo")
+          (write-region nil nil tmp-name)
+          (set-visited-file-modtime)
+          ;; Run the test.
+          (advice-add 'write-region :before advice)
+          (setq-local file-precious-flag t)
+          (insert "bar")
+          (should (null (save-buffer)))
+          (should-not (cl-member tmp-name written-files :test #'string=))
+      ;; Cleanup.
+      (ignore-errors (advice-remove 'write-region advice))
+      (ignore-errors (delete-file tmp-name))))))
 (ert-deftest tramp-test11-copy-file ()
   "Check `copy-file'."
   (skip-unless (tramp--test-enabled))

