bug#60096: 29.0.60; Crash in format_mode_line_unwind_data

[martin rudalics]

> It is needed in this case because it forces redisplay to recompute the
> window list (in propagate_buffer_redisplay, if not earlier).  If the
> above is not done, Vwindow_list will be reused, and the problematic
> (bogus?) windows in it _will_ cause a crash.
>
> Specifically, here's what happens:
>
>  . We call
>
>          wset_buffer (w, other_buffer_safely (Fcurrent_buffer ()));
>
>  . other_buffer_safely cannot find a single buffer that satisfies the
>    candidate_buffer condition, so it ends up recreating *scratch*
>    (whose deletion caused this mess to begin with) by calling
>    get-scratch-buffer-create in Lisp
>  . get-scratch-buffer-create calls substitute-command-keys to produce
>    the blurb we put in the comment at the beginning of *scratch*
>  . substitute-command-keys uses a temporary buffer to format the
>    message, and calls kill-buffer to delete that buffer when it's done
>  . kill-buffer calls replace_buffer_in_windows, which calls
>    replace-buffer-in-windows in Lisp
>  . replace-buffer-in-windows calls window-list-1, which calls
>    window_list, which fills Vwindow_list with windows that have no
>    buffer:
>
>     (gdb) pp Vwindow_list
>     (#<window 8> #<window 4>)
>
>  . one of these windows gets assigned a buffer, eventually, since it's
>    a selected-window, but the other window stays without a buffer, and
>    causes a crash in the following redisplay

Thanks for the explanation.  I must have tested with my own version of
'replace-buffer-in-windows' which starts with

  (let ((buffer (window-normalize-buffer buffer-or-name)))
    ;; Don't scan 'window-list-1' unless necessary (often it isn't, for
    ;; example, when killing a temporary buffer).
    (when (> (buffer-windows-count buffer) 0)
      (dolist (window (window-list-1 nil nil t))

But since there's no guarantee that a temporary buffer will not be shown
in a window temporarily, your patch is a bit safer.  Alternatively, we
could exclude windows with a nil buffer in add_window_to_list (think of
the case that within the blurb producing code someone wants to consult
the window list).  In either case, we'd be accepting a temporarily
broken basic invariant - that a live window always shows a live buffer.

Principally, we should never run 'replace-buffer-in-windows' from within
'set-window-configuration'.  That bloated window list is just the tip of
an iceberg here.

> What about the other parts of the changeset I installed -- do they
> look okay to you? any comments?

I see

-  return safe_call (1, Qget_scratch_buffer_create);
+  /* This function must return a valid buffer, since it is frequently
+     our last line of defense in the face of the expected buffers
+     becoming dead under our feet.  safe_call below could return nil
+     if recreating *scratch* in Lisp, which does some fancy stuff,
+     signals an error in some weird use case.  */
+  buf = safe_call (1, Qget_scratch_buffer_create);
+  if (NILP (buf))
+    {
+      AUTO_STRING (scratch, "*scratch*");
+      buf = Fget_buffer_create (scratch, Qnil);
+    }
+  return buf;

and

+      Fset_buffer_major_mode (buf);

which look okay to me.  Unless, again, the latter would try to deal with
the window list or do some other nasty stuff.  Then other_buffer_safely
should not be allowed to recreate *scratch* but rather some fallback
buffer in fundamental mode with no hooks run and any buffer lists having
it as single element.

martin