From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.devel Subject: Re: Dynamic modules: MODULE_HANDLE_SIGNALS etc. Date: Wed, 23 Dec 2015 18:07:26 +0200 Message-ID: <83poxxp2rl.fsf@gnu.org> References: <83mvu1x6t3.fsf@gnu.org> <565779CD.80405@cs.ucla.edu> <83io4nuc68.fsf@gnu.org> <83r3iht93x.fsf@gnu.org> <838u4psznr.fsf@gnu.org> <56772054.8010401@cs.ucla.edu> <83zix4scgf.fsf@gnu.org> <5677DBC9.6030307@cs.ucla.edu> <83io3rst2r.fsf@gnu.org> <567841A6.4090408@cs.ucla.edu> <567844B9.2050308@dancol.org> <5678CD07.8080209@cs.ucla.edu> <5678D3AF.7030101@dancol.org> <83oadiqxq1.fsf@gnu.org> <5679B33E.9000804@dancol.org> <83y4cmp5y5.fsf@gnu.org> <5679B7F5.9030504@dancol.org> <83twnap4xa.fsf@gnu.org> <5679BE1D.5070903@dancol.org> Reply-To: Eli Zaretskii NNTP-Posting-Host: plane.gmane.org X-Trace: ger.gmane.org 1450886823 25307 80.91.229.3 (23 Dec 2015 16:07:03 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Wed, 23 Dec 2015 16:07:03 +0000 (UTC) Cc: aurelien.aptel+emacs@gmail.com, p.stephani2@gmail.com, eggert@cs.ucla.edu, tzz@lifelogs.com, emacs-devel@gnu.org To: Daniel Colascione Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Dec 23 17:06:58 2015 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1aBlwI-0002EC-1c for ged-emacs-devel@m.gmane.org; Wed, 23 Dec 2015 17:06:58 +0100 Original-Received: from localhost ([::1]:56715 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aBlwH-0001Qt-8c for ged-emacs-devel@m.gmane.org; Wed, 23 Dec 2015 11:06:57 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:46957) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aBlwD-0001Q6-TU for emacs-devel@gnu.org; Wed, 23 Dec 2015 11:06:55 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aBlwA-00089U-LJ for emacs-devel@gnu.org; Wed, 23 Dec 2015 11:06:53 -0500 Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:57211) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aBlwA-00089Q-IR; Wed, 23 Dec 2015 11:06:50 -0500 Original-Received: from 84.94.185.246.cable.012.net.il ([84.94.185.246]:2246 helo=HOME-C4E4A596F7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from ) id 1aBlw9-0000X3-LJ; Wed, 23 Dec 2015 11:06:50 -0500 In-reply-to: <5679BE1D.5070903@dancol.org> (message from Daniel Colascione on Tue, 22 Dec 2015 13:18:21 -0800) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:196710 Archived-At: > Cc: eggert@cs.ucla.edu, aurelien.aptel+emacs@gmail.com, > p.stephani2@gmail.com, tzz@lifelogs.com, emacs-devel@gnu.org > From: Daniel Colascione > Date: Tue, 22 Dec 2015 13:18:21 -0800 > > >> Which is why you setjmp in places where you have a significant stack > >> reserve. > > > > There's no way of doing that portably, or even non-portably on many > > platforms. You simply don't _know_ how much stack is left. > > You can probe at program start and pre-allocate as much as is reasonable. Pre-allocate what? Are you suggesting that Emacs allocates its own stack, instead of relying on the one provided by the linker and the OS? > >> Longjmp, by itself, is simple and clear. What's unreliable is longjmping > >> to Lisp at completely arbitrary points in the program, even ones marked > >> "GC can't happen here" and the like. > > > > We longjmp to a particular place, not arbitrary place. > > But we longjmp _from_ anywhere, and "anywhere" might be in the middle of > any delicate code sequence, since the compiler can generate code to > write to new stack slots at any point. I simply don't see any trouble this could cause, except leaking some memory. Can you describe in enough detail a single use case where this could have any other adverse effects that we should care about when recovering from stack overflow? > >> You say Emacs shouldn't crash. Fine. We can't make that guarantee > >> if the crash recovery code breaks program invariants. > > > > Crash recovery doesn't need to keep invariants. Or maybe I > > misunderstand what invariants do you have in mind. > > Any stack allocation anywhere in the program can longjmp. It's > impossible to reason about safety in that situation. Emacs is not safety-critical software, so there's no requirement to reason about safety. Since I think the recovery's only role is to allow the user to exit Emacs in a controlled way without losing work, I simply don't see any problem that could be caused by longjmping from an arbitrary stack allocation. After all, stack allocation is just assignment of value to a register, and sometimes grafting a range of memory pages into the memory set. > >> Failing that, we should allocate guard pages, unprotect the guard > >> pages on overflow > > > > Thats what the OS is for. It would be wrong for us to start messing > > with page protection etc. The exception caused by stack overflow > > removes protection from the guard page to let you do something simple, > > like run the exception handler -- are you suggesting we catch the > > exception and mess with protection bits as well, i.e. replace one of > > the core functions of a modern OS? All that because what we have now > > is not elegant enough for us? Doesn't sound right to me. > We have a program that has its own Lisp runtime, has its own memory > allocation system, uses its own virtual filesystem access layer, and > that brings itself back from the dead. We're well past replicating OS > functionality. Actually, most of the above is simply untrue: we use system allocators to allocate memory, use mundane C APIs like 'open' and 'read' to access files, and if by "bringing itself from the dead" you allude to unexec, then what it does is a subset of what every linker does, hardly an OS stuff. I think we should strive to distance ourselves from the OS business, not the other way around. There was time when doing complex things sometimes required messing with low-level functionality like that, but that time is long passed. Allocating our own stack, setting up and managing our own guard pages and the related exceptions -- we shouldn't go back there. > It's not a matter of elegance: it's a matter of correctness. The current > scheme is unsafe. Emacs is not safety-critical software. It doesn't need to be "safe" by your definition, if I understand it correctly. > >> and call out_of_memory so that it's obvious Emacs is in a bad > >> state. This way, we don't have to longjmp out of arbitrary code > >> sequences. > > > > There's no problem longjmping out of arbitrary code sequences. When > > you debug a program, you do that all the time. > > In GDB, interrupting normal control flow is not part of standard > debugging practice. ??? Every time a debuggee hits a breakpoint, the normal control flow is interrupted, and you in effect have a huge longjmp -- from the debuggee to the debugger.