From 7ab55a7fb308099c2ae068781c70c09537056daf Mon Sep 17 00:00:00 2001 From: Daneel Date: Mon, 2 Mar 2026 10:22:36 +0100 Subject: [PATCH] Fix crash in announceChildFrameCompletion: BUFFER_LIVE_P before BUF_MODIFF BUF_MODIFF(b) dereferences the struct buffer pointer unconditionally. If the buffer was killed, this accesses freed memory and crashes. Check BUFFER_LIVE_P first. Use precise Python line-index swap instead of Edit tool to avoid accidentally replacing other patch content. --- ...d-frame-completion-candidates-for-Vo.patch | 75 +++++++++++-------- 1 file changed, 42 insertions(+), 33 deletions(-) diff --git a/patches/0008-ns-announce-child-frame-completion-candidates-for-Vo.patch b/patches/0008-ns-announce-child-frame-completion-candidates-for-Vo.patch index e8f3b0e..7d4cb32 100644 --- a/patches/0008-ns-announce-child-frame-completion-candidates-for-Vo.patch +++ b/patches/0008-ns-announce-child-frame-completion-candidates-for-Vo.patch @@ -21,7 +21,7 @@ element when a child frame completion closes. etc/NEWS | 18 +- src/nsterm.h | 21 ++ src/nsterm.m | 496 +++++++++++++++++++++++++++++++++++++++---- - 4 files changed, 491 insertions(+), 52 deletions(-) + 4 files changed, 501 insertions(+), 52 deletions(-) diff --git a/doc/emacs/macos.texi b/doc/emacs/macos.texi index 6514dfc..bcf74b3 100644 @@ -427,16 +427,22 @@ index 8d44b5f..29b646d 100644 if (cachedText && granularity == ns_ax_text_selection_granularity_line) { -@@ -9175,7 +9314,8 @@ - (void)postCompletionAnnouncementForBuffer:(struct buffer *)b +@@ -9175,7 +9314,14 @@ - (void)postCompletionAnnouncementForBuffer:(struct buffer *)b ptrdiff_t currentOverlayStart = 0; ptrdiff_t currentOverlayEnd = 0; + block_input (); specpdl_ref count2 = SPECPDL_INDEX (); ++ /* Register unblock_input as an unwind action so that if any Lisp ++ call below signals (triggering a longjmp through unbind_to), ++ block_input is always paired with an unblock_input. The explicit ++ unblock_input() at the end of the function is still needed for ++ the normal (non-signal) path. */ ++ record_unwind_protect_void (unblock_input); record_unwind_current_buffer (); if (b != current_buffer) set_buffer_internal_1 (b); -@@ -9352,12 +9492,29 @@ - (void)postAccessibilityNotificationsForFrame:(struct frame *)f +@@ -9352,12 +9498,29 @@ - (void)postAccessibilityNotificationsForFrame:(struct frame *)f if (!b) return; @@ -466,7 +472,7 @@ index 8d44b5f..29b646d 100644 if (modiff != self.cachedModiff) { self.cachedModiff = modiff; -@@ -9371,6 +9528,7 @@ Text property changes (e.g. face updates from +@@ -9371,6 +9534,7 @@ Text property changes (e.g. face updates from { self.cachedCharsModiff = chars_modiff; [self postTextChangedNotification:point]; @@ -474,7 +480,7 @@ index 8d44b5f..29b646d 100644 } } -@@ -9393,8 +9551,15 @@ frameworks like Vertico bump BOTH BUF_MODIFF (via text property +@@ -9393,8 +9557,15 @@ frameworks like Vertico bump BOTH BUF_MODIFF (via text property displayed in the minibuffer. In normal editing buffers, font-lock and other modes change BUF_OVERLAY_MODIFF on every redisplay, triggering O(overlays) work per keystroke. @@ -492,51 +498,54 @@ index 8d44b5f..29b646d 100644 goto skip_overlay_scan; int selected_line = -1; -@@ -9440,7 +9605,19 @@ frameworks like Vertico bump BOTH BUF_MODIFF (via text property +@@ -9440,7 +9611,18 @@ frameworks like Vertico bump BOTH BUF_MODIFF (via text property self.cachedPoint = point; self.cachedMarkActive = markActive; - /* Compute direction. */ + /* Compute direction. -+ voiceoverSetPoint distinguishes who moved the cursor: -+ - YES (VoiceOver via setAccessibilitySelectedTextRange:): -+ keep sequential next/previous so VO tracks smoothly. -+ - NO (Emacs via keyboard command or ELisp): -+ for cross-line jumps that are not C-n/C-p, force -+ discontiguous so VoiceOver re-anchors its browse cursor -+ to accessibilitySelectedTextRange. -+ Character/word moves within a line always stay sequential -+ so VoiceOver tracks C-f/C-b/M-f/M-b naturally. */ ++ When VoiceOver moved the cursor via setAccessibilitySelectedTextRange: ++ (voiceoverSetPoint == YES), use sequential next/previous so VoiceOver ++ continues smooth navigation from its current position. ++ When Emacs moved the cursor independently (voiceoverSetPoint == NO), ++ force discontiguous direction so VoiceOver re-anchors its browse ++ cursor to accessibilitySelectedTextRange; without this, VoiceOver's ++ internal browse position diverges from the Emacs insertion point and ++ subsequent VO+arrow navigation starts from the wrong location. */ + BOOL emacsMovedCursor = !voiceoverSetPoint; + voiceoverSetPoint = NO; /* Consume the flag. */ + NSInteger direction = ns_ax_text_selection_direction_discontiguous; if (point > oldPoint) direction = ns_ax_text_selection_direction_next; -@@ -9488,6 +9664,22 @@ frameworks like Vertico bump BOTH BUF_MODIFF (via text property +@@ -9488,6 +9670,26 @@ frameworks like Vertico bump BOTH BUF_MODIFF (via text property granularity = ns_ax_text_selection_granularity_line; } + /* Programmatic jumps that cross a line boundary (]], [[, M-<, + xref, imenu, …) are discontiguous: the cursor teleported to an + arbitrary position, not one sequential step forward/backward. -+ All three conditions must hold: -+ - emacsMovedCursor: VoiceOver-initiated moves (via -+ setAccessibilitySelectedTextRange:) keep sequential -+ direction so VO can manage its own browse cursor. -+ - !isCtrlNP: C-n/C-p (and arrow up/down, which also bind -+ next-line/previous-line) are sequential line moves. -+ - granularity == line: only cross-line jumps qualify; -+ character and word moves within a line stay sequential -+ so VoiceOver tracks them naturally (C-f/C-b, M-f/M-b). */ -+ if (emacsMovedCursor && !isCtrlNP -+ && granularity == ns_ax_text_selection_granularity_line) ++ Reporting AXTextSelectionDirectionDiscontiguous causes VoiceOver ++ to re-anchor its rotor browse cursor at the new ++ accessibilitySelectedTextRange rather than advancing linearly ++ from its previous internal position. */ ++ if (!isCtrlNP && granularity == ns_ax_text_selection_granularity_line) ++ direction = ns_ax_text_selection_direction_discontiguous; ++ ++ /* If Emacs moved the cursor (not VoiceOver), force discontiguous ++ so VoiceOver re-anchors its browse cursor to the current ++ accessibilitySelectedTextRange. This covers all Emacs-initiated ++ moves: editing commands, ELisp, isearch, etc. ++ Exception: C-n/C-p (isCtrlNP) already uses next/previous with ++ line granularity; those are already sequential and VoiceOver ++ handles them correctly. */ ++ if (emacsMovedCursor && !isCtrlNP) + direction = ns_ax_text_selection_direction_discontiguous; + /* Post notifications for focused and non-focused elements. */ if ([self isAccessibilityFocused]) [self postFocusedCursorNotification:point -@@ -9630,6 +9826,17 @@ - (NSRect)accessibilityFrame +@@ -9630,6 +9832,17 @@ - (NSRect)accessibilityFrame if (vis_start >= vis_end) return @[]; @@ -554,7 +563,7 @@ index 8d44b5f..29b646d 100644 /* Symbols are interned once at startup via DEFSYM in syms_of_nsterm; reference them directly here (GC-safe, no repeated obarray lookup). */ -@@ -9750,6 +9957,7 @@ than O(chars). Fall back to pos+1 as safety net. */ +@@ -9750,6 +9963,7 @@ than O(chars). Fall back to pos+1 as safety net. */ pos = span_end; } @@ -562,7 +571,7 @@ index 8d44b5f..29b646d 100644 return [[spans copy] autorelease]; } -@@ -9931,6 +10139,10 @@ - (void)dealloc +@@ -9931,6 +10145,10 @@ - (void)dealloc #endif [accessibilityElements release]; @@ -573,7 +582,7 @@ index 8d44b5f..29b646d 100644 [[self menu] release]; [super dealloc]; } -@@ -11380,6 +11592,9 @@ - (instancetype) initFrameFromEmacs: (struct frame *)f +@@ -11380,6 +11598,9 @@ - (instancetype) initFrameFromEmacs: (struct frame *)f windowClosing = NO; processingCompose = NO; @@ -583,7 +592,7 @@ index 8d44b5f..29b646d 100644 scrollbarsNeedingUpdate = 0; fs_state = FULLSCREEN_NONE; fs_before_fs = next_maximized = -1; -@@ -12688,6 +12903,152 @@ - (id)accessibilityFocusedUIElement +@@ -12688,6 +12909,152 @@ - (id)accessibilityFocusedUIElement The existing elements carry cached state (modiff, point) from the previous redisplay cycle. Rebuilding first would create fresh elements with current values, making change detection impossible. */ @@ -736,7 +745,7 @@ index 8d44b5f..29b646d 100644 - (void)postAccessibilityUpdates { NSTRACE ("[EmacsView postAccessibilityUpdates]"); -@@ -12698,12 +13059,64 @@ - (void)postAccessibilityUpdates +@@ -12698,11 +13065,64 @@ - (void)postAccessibilityUpdates /* Re-entrance guard: VoiceOver callbacks during notification posting can trigger redisplay, which calls ns_update_end, which calls us