From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Daniel Colascione Newsgroups: gmane.emacs.devel Subject: Re: Crash robustness (Was: Re: Dynamic modules: MODULE_HANDLE_SIGNALS etc.) Date: Wed, 23 Dec 2015 10:19:15 -0800 Message-ID: <567AE5A3.7010902@dancol.org> References: <83mvu1x6t3.fsf@gnu.org> <83r3iht93x.fsf@gnu.org> <838u4psznr.fsf@gnu.org> <56772054.8010401@cs.ucla.edu> <83zix4scgf.fsf@gnu.org> <5677DBC9.6030307@cs.ucla.edu> <83io3rst2r.fsf@gnu.org> <567841A6.4090408@cs.ucla.edu> <567844B9.2050308@dancol.org> <5678CD07.8080209@cs.ucla.edu> <5678D3AF.7030101@dancol.org> <83oadiqxq1.fsf@gnu.org> <5679B33E.9000804@dancol.org> <83y4cmp5y5.fsf@gnu.org> <5679B7F5.9030504@dancol.org> <83twnap4xa.fsf@gnu.org> <5679BE1D.5070903@dancol.org> <83poxxp2rl.fsf@gnu.org> <567ACB0F.9060804@dancol.org> <83a8p1oyxc.fsf@gnu.org> <567ADCC0.6090709@dancol.org> <8360zpoxru.fsf@gnu.org> <567AE04F.1010202@dancol.org> <8337utox4o.fsf@gnu.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="TnXdfwpXFixKFXaqiuirQt7nshOrE6l0X" X-Trace: ger.gmane.org 1450894782 23744 80.91.229.3 (23 Dec 2015 18:19:42 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Wed, 23 Dec 2015 18:19:42 +0000 (UTC) Cc: aurelien.aptel+emacs@gmail.com, p.stephani2@gmail.com, eggert@cs.ucla.edu, tzz@lifelogs.com, emacs-devel@gnu.org To: Eli Zaretskii Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Dec 23 19:19:31 2015 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1aBo0V-00085Q-KA for ged-emacs-devel@m.gmane.org; Wed, 23 Dec 2015 19:19:27 +0100 Original-Received: from localhost ([::1]:57371 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aBo0V-0007Xo-0O for ged-emacs-devel@m.gmane.org; Wed, 23 Dec 2015 13:19:27 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:53175) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aBo0R-0007UW-HT for emacs-devel@gnu.org; Wed, 23 Dec 2015 13:19:24 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aBo0Q-0002y5-Hs for emacs-devel@gnu.org; Wed, 23 Dec 2015 13:19:23 -0500 Original-Received: from dancol.org ([2600:3c01::f03c:91ff:fedf:adf3]:38658) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aBo0Q-0002xv-7x; Wed, 23 Dec 2015 13:19:22 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dancol.org; s=x; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:Cc:References:To:Subject; bh=R5vVD9YagrKFy1OZ4UrNemYul1KAZ7GSC+UohdyIYNQ=; b=d7HO7Y8/7+cvBwblrN7WCpw/0iu5RX1JWnjtEkUKbmLWI2I4anvWplR7ibYbi+KShJhPa+4UTgr65N2OQydq9gjXnF8BQzXoc4L3eeEyNt0nXJoe2awaHIm/yYUfZcY0MLaMkLf/f2gW7KchnBVjOd3SN4sY/i+SOkrhXTE1dErJECUZmsaFtva+nyyyk5PK41e+QN9rxv7oywWUHMX8gllI9u+YC2SMy3aGC+XmXjIeR6tFyaSedsDikmK9sogSFnb6JomH0SsBRyB0r8IXtkDyp1yAbb9GO55fV+aQhIJuunOIAdKuNT/kLj1Jgu/W8qPGfwM4JDBgPjuVH4MQMg==; Original-Received: from [2620:10d:c090:180::31bb] (helo=[IPv6:2620:10d:c081:1103:2ab2:bdff:fe1c:db58]) by dancol.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84) (envelope-from ) id 1aBo0P-0006DD-9r; Wed, 23 Dec 2015 10:19:21 -0800 X-Enigmail-Draft-Status: N1110 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 In-Reply-To: <8337utox4o.fsf@gnu.org> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2600:3c01::f03c:91ff:fedf:adf3 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:196732 Archived-At: This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --TnXdfwpXFixKFXaqiuirQt7nshOrE6l0X Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 12/23/2015 10:09 AM, Eli Zaretskii wrote: >> Cc: eggert@cs.ucla.edu, aurelien.aptel+emacs@gmail.com, >> p.stephani2@gmail.com, tzz@lifelogs.com, emacs-devel@gnu.org >> From: Daniel Colascione >> Date: Wed, 23 Dec 2015 09:56:31 -0800 >> >>>> We can make the alternate signal stack as large as we want. >>> >>> Not as large as is safe to run arbitrary Lisp. >> >> Then don't run arbitrary lisp after we've segfaulted. >=20 > It's out of your control. > No it isn't. We don't have to run the generic auto-save logic: in fact, we probably shouldn't run arbitrary lisp, because a fatal signal indicates that the process is in a bad state. Instead, if we really want to minimize the possibility of data loss, we should use a pure-C autosave system directly from the crash handler, not longjmp from arbitrary parts of the program to toplevel. The other option is to use a guard page: on stack overflow, unprotect the guard page (allowing program execution to proceed normally for a little while longer --- again, no longjmp), Fsignal at the next opportunity to QUIT, invoke out_of_memory after the signal, and let users save at that point. You're against installing a guard page because it's something the OS does. I don't see how that's relevant, since the OS gives us APIs achieve exactly the behavior we want. The other objection to using a guard page is that it requires determining in advance the maximum amount of stack space we want to give Emacs, but if we limit it to 8MB on Windows, 8MB of stack space should be enough anywhere. Regardless, the current mechanism does not achieve its goal. It's utterly unsafe even without module code added to the mix. A mechanism that invokes arbitrary undefined behavior is *worse* than useless. --TnXdfwpXFixKFXaqiuirQt7nshOrE6l0X Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWeuWjAAoJEN4WImmbpWBlwWwP/1GxFF1BlQAm22iLNnw5LL6W ADO+Phrjh08CLw6ObQaDTGXuYMWnzdCvTgAb4CnSMQpiB6p0hZpHHA6xrfbZj6sI YsfVx9BujJj2aH54G8kUJxNta4QdaEGt7aVIXCXiiglYhyiSQYA2gEKv9RA/RwXb +8gaoq0UyKjn5lIbf/epoyrcPOL/WrTofqMqoc11bRM7Za8wx4doUBz+PfBNsUbs 2wIqwFtFvNpjWaHv4ZnNuXUlZ8MKh0TUbyXmvdC41HX+UhrZP1OVtuDQTIysfHJ+ 3WFnGG4A3cv4Audlj/3XCAtu8zPOD2ZVqbPElBTudMKN1fchyCWQdbce4ZT4zNAL u7Z65aHRazYOWrdxkN5/eFpAHAkZRS2UT+gnr3u/a70bghpMp3W9qiTJNhov1N6q QInZSoT0KaEEBZQ30VYNJudK5o6HppZhxQNyM8MgkbRAIMLQaeobHniG9cL6zbjt yFDK3N0QPS4NxG9fnt5TN+cPfeNY7OotN5x3nBmy4lluTdC2glwZVM/JWfxhc6Hf JXRbdlMgvMvbZa+hj8JM6qi4azMx5OvHlBqShp7lArYeGMOhwcIAeMeP1DsJU0RC DTLCunXTtz9e8M3qwdjyP++QFG8+5AuU3auFwAza0Y9zl6zPneZn9BAmWEAos5YR SnMb1fbAQ1MDDX99ZGS2 =ddZ8 -----END PGP SIGNATURE----- --TnXdfwpXFixKFXaqiuirQt7nshOrE6l0X--