On Sat, Mar 6, 2021 at 10:57 AM Eli Zaretskii wrote: > > From: Pip Cet > > Date: Sat, 6 Mar 2021 09:44:18 +0000 > > Cc: Stefan Monnier , emacs-devel@gnu.org > > > > I thought this code in code_conversion_save was safe: > > > > Lisp_Object name > > = Fgenerate_new_buffer_name (Vcode_conversion_workbuf_name, Qnil); > > workbuf = Fget_buffer_create (name, Qt); > > > > but I had misread the second argument to Fget_buffer_create: it's > > inhibit-hooks, not run-hooks. > > > > So I'm not sure whether code_conversion_save is allowed to call Lisp. > I'd rather it didn't, for more than one reason. But we can side-step > this by making Fgenerate_new_buffer_name use random-fixnum, which is > still a pure-C implementation. Here's a patch which makes it use get_random() directly. > > It would really help to document the "doesn't call Lisp" and "doesn't > > quit" restrictions somewhere (but I'm not volunteering...) > > I agree, on both counts. Actually, I think it would be best to have these restrictions represented in the code. I see two ways of doing that: 1. Have FUNCTION_MAY_GC etc. translate into a GCC attribute in debug builds so we can statically check that a function that says it never calls GC doesn't call a function that says it may call GC. 2. Have a statement at the beginning of non-GCing functions which sets a flag that is then checked by garbage-collecting functions, so that we may dynamically check this. (1) seems easy to implement, but has a high rate of false negatives as many functions are safe to call from non-GCing functions as long as the arguments are correct. (2) is difficult to implement, and would only trigger at runtime. So I say we should do (1) in preference to (2), but maybe we should do both. Pip