From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Eli Zaretskii <eliz@gnu.org>
Newsgroups: gmane.emacs.devel
Subject: Re: Crash robustness (Was: Re: Dynamic modules: MODULE_HANDLE_SIGNALS
	etc.)
Date: Wed, 23 Dec 2015 20:45:07 +0200
Message-ID: <83twn9ngwc.fsf@gnu.org>
References: <83mvu1x6t3.fsf@gnu.org>
	<CAArVCkTEeOPLL=w0q06ZhVyYkaArqsCMcYP=EavfjE5cGVv5_w@mail.gmail.com>
	<CAArVCkQLgbeaU7X4Vczx50MhQrwToZFpQnChiaga1U3eUVAP1w@mail.gmail.com>
	<CAArVCkTitGtzNxJ6DKMWx8cA2+YyfMKA_er_SvNL9iyOhF+1nA@mail.gmail.com>
	<83r3iht93x.fsf@gnu.org>
	<CAArVCkRJd+O9gbWQBpOh8a9zgbWid8jfrfkSwKG9fEnF+y6bwQ@mail.gmail.com>
	<838u4psznr.fsf@gnu.org> <56772054.8010401@cs.ucla.edu>
	<83zix4scgf.fsf@gnu.org> <5677DBC9.6030307@cs.ucla.edu>
	<83io3rst2r.fsf@gnu.org> <567841A6.4090408@cs.ucla.edu>
	<567844B9.2050308@dancol.org> <5678CD07.8080209@cs.ucla.edu>
	<5678D3AF.7030101@dancol.org> <83oadiqxq1.fsf@gnu.org>
	<5679B33E.9000804@dancol.org> <83y4cmp5y5.fsf@gnu.org>
	<5679B7F5.9030504@dancol.org> <83twnap4xa.fsf@gnu.org>
	<5679BE1D.5070903@dancol.org> <83poxxp2rl.fsf@gnu.org>
	<567ACB0F.9060804@dancol.org> <83a8p1oyxc.fsf@gnu.org>
	<567ADCC0.6090709@dancol.org> <8360zpoxru.fsf@gnu.org>
	<567AE04F.1010202@dancol.org> <8337utox4o.fsf@gnu.org>
	<567AE5A3.7010902@dancol.org>
Reply-To: Eli Zaretskii <eliz@gnu.org>
NNTP-Posting-Host: plane.gmane.org
X-Trace: ger.gmane.org 1450896299 15148 80.91.229.3 (23 Dec 2015 18:44:59 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Wed, 23 Dec 2015 18:44:59 +0000 (UTC)
Cc: aurelien.aptel+emacs@gmail.com, p.stephani2@gmail.com, eggert@cs.ucla.edu,
	tzz@lifelogs.com, emacs-devel@gnu.org
To: Daniel Colascione <dancol@dancol.org>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Dec 23 19:44:50 2015
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1aBoP2-0006Zy-Vk
	for ged-emacs-devel@m.gmane.org; Wed, 23 Dec 2015 19:44:49 +0100
Original-Received: from localhost ([::1]:57449 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1aBoP2-0008TM-GV
	for ged-emacs-devel@m.gmane.org; Wed, 23 Dec 2015 13:44:48 -0500
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:59015)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eliz@gnu.org>) id 1aBoOp-0008Ss-G3
	for emacs-devel@gnu.org; Wed, 23 Dec 2015 13:44:36 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eliz@gnu.org>) id 1aBoOl-0001AT-Fi
	for emacs-devel@gnu.org; Wed, 23 Dec 2015 13:44:35 -0500
Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:60088)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <eliz@gnu.org>)
	id 1aBoOl-0001AO-CD; Wed, 23 Dec 2015 13:44:31 -0500
Original-Received: from 84.94.185.246.cable.012.net.il ([84.94.185.246]:2409
	helo=HOME-C4E4A596F7)
	by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128)
	(Exim 4.82) (envelope-from <eliz@gnu.org>)
	id 1aBoOk-0005gP-EB; Wed, 23 Dec 2015 13:44:30 -0500
In-reply-to: <567AE5A3.7010902@dancol.org> (message from Daniel Colascione on
	Wed, 23 Dec 2015 10:19:15 -0800)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:196735
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/196735>

> Cc: eggert@cs.ucla.edu, aurelien.aptel+emacs@gmail.com,
>  p.stephani2@gmail.com, tzz@lifelogs.com, emacs-devel@gnu.org
> From: Daniel Colascione <dancol@dancol.org>
> Date: Wed, 23 Dec 2015 10:19:15 -0800
> 
> >>>> We can make the alternate signal stack as large as we want.
> >>>
> >>> Not as large as is safe to run arbitrary Lisp.
> >>
> >> Then don't run arbitrary lisp after we've segfaulted.
> > 
> > It's out of your control.
> 
> No it isn't. We don't have to run the generic auto-save logic: in fact,
> we probably shouldn't run arbitrary lisp, because a fatal signal
> indicates that the process is in a bad state. Instead, if we really want
> to minimize the possibility of data loss, we should use a pure-C
> autosave system directly from the crash handler, not longjmp from
> arbitrary parts of the program to toplevel.

auto-save is implemented in C anyway.  But it calls functions that
might call Lisp out of your control.  We attempt to disable that when
in emergency shutdown, but it's not bullet-proof.

And there still is a problem of buffers that don't visit files.

> The other option is to use a guard page: on stack overflow, unprotect
> the guard page (allowing program execution to proceed normally for a
> little while longer --- again, no longjmp), Fsignal at the next
> opportunity to QUIT, invoke out_of_memory after the signal, and let
> users save at that point.

The guard page is too small for any serious code.

> Regardless, the current mechanism does not achieve its goal.

Of course, it does.

> A mechanism that invokes arbitrary undefined behavior is *worse*
> than useless.

I cannot disagree more.