From: Stefan Monnier <monnier@iro.umontreal.ca>
To: "João Távora" <joaotavora@gmail.com>
Cc: Glenn Morris <rgm@gnu.org>, emacs-devel <emacs-devel@gnu.org>
Subject: Re: Safety of elisp-flymake-byte-compile (Was Re: [Emacs-diffs] scratch/allow-custom-load-paths)
Date: Sun, 09 Dec 2018 21:22:36 -0500 [thread overview]
Message-ID: <jwv1s6qcfc2.fsf-monnier+emacsdiffs@gnu.org> (raw)
In-Reply-To: <87mupe9qqw.fsf@gmail.com> ("João Távora"'s message of "Mon, 10 Dec 2018 00:20:39 +0000")
>>> 1. Create a elisp-flymake-maybe-enable function that checks the buffer
>>> for top-level forms that _could_ make it unsafe for byte-compiling on
>>> the fly. This would include, but not limited to, eval-and-compile,
>>> eval-when-compile, defmacro, cl-defmacro, any "unknown" top-level
>>> form. This will generate a lot of false positives (positive meaning
>>> "unsafe") but perhaps it could be made to generate 0 false negatives
>>> and still successfully vet a good number of elisp files.
>>
>> I was thinking that we can probably do it without a separate check:
> You mean do it directly in elisp-flymake--batch-compile-for-flymake?
> Yeah, that's definitely a good idea.
I'm saying "without another traversal of the code".
I.e. elisp-flymake--batch-compile-for-flymake would just call the
byte-compiler in a different way (either via a new entry-point, or by
let-binding some new variable) to cause it to be more careful (and not
worry about generating correct&efficient code).
>> In bytecomp.el, when working in "flymake" mode (a mode in which the
>> output bytecode is not actually needed) we'd treat eval-when/and-compile
>> just like `progn`, and we'd mark some other macros as "unsafe"
>> (in which case we'd treat the corresponding calls as if they expanded
>> to nil) and when we see a defmacro, we use `unsafep` to decide whether
>> that macro should be treated as unsafe
>
> Trying to parse this... You mean when we see a call to a macro, not when
> we see a `defmacro' top-level form, right?
Right.
>> (so we could still macro expand
>> locally defined macros as long as they're simple enough).
>
>> Also, in that mode, we'd likely skip byte-opt altogether as well as
>> compiler macros.
>
> OK. What's byte-opt BTW? Optimization?
See lisp/emacs-lisp/byte-opt.el
It's two byte-optimizers: one applied on the Elisp code after
macro-expansion, and another applied on the byte-code.
>> The most obvious remaining holes there would be macros defined by
>> installed packages and whose expansion includes execution of some of its
>> arguments (cl-eval-when being the most obvious one, but there are many
>> more subtle ones).
>
> So basically, in your proposal, package authors would use sth. like
> (declare (flymake-safe t)) in their defmacros?
The macros defined in the flymake'd file wouldn't need any declaration:
they'd all be treated as suspicious and checked via `unsafep`.
For the macros defined in already-loaded packages, I'm not sure
what would be the better option between a whitelist (such as the `flymake-safe`
declaration above) or a blacklist or something in-between.
> But then we would have to prompt the user to accept or reject these
> marks right?
Since they're in the files we already trust I don't think that's needed.
> I don't think I completely understood your idea: what about, for
> example, eglot.el's macrology that checks LSP interface destructuring at
> compile-time? There are some eval-when-compile's there right now:
>
> (eval-and-compile
> (defvar eglot--lsp-interface-alist
> `(
> (CodeAction (:title) (:kind :diagnostics :edit :command))
> (Command (:title :command) (:arguments))
> ...)
> "Alist of (INTERFACE REQUIRED-KEYS OPTIONAL-KEYS)"))
>
> And then
>
> (eglot--dbind ((Command) title not-really-a-key) some-lsp-object
> (do-something-with title not-really-a-key))
>
> gives me a nice warning that not-really-a-key isn't in the "Command"
> interface. How would that work in your new elisp-flymake-byte-compile?
It would only work once `eglot--dbind` is defined by a pakage in
`load-path` (and after that package defined eglot--lsp-interface-alist).
But not if you just open eglot.el.
> Also, what do you think of my option 2 to disable most of the system
> interface when flymaking?
Providing ways to run Elisp in a confined environment would be useful in
various circumstances, but it's non-trivial.
Stefan
next prev parent reply other threads:[~2018-12-10 2:22 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20181204233600.7907.75252@vcs0.savannah.gnu.org>
[not found] ` <20181204233601.273DD209DC@vcs0.savannah.gnu.org>
2018-12-05 4:34 ` [Emacs-diffs] scratch/allow-custom-load-paths-in-elisp-flymake 4ef9711: Allow custom load paths in elisp's byte-compilation Flymake Stefan Monnier
2018-12-05 15:14 ` João Távora
2018-12-05 20:00 ` Glenn Morris
2018-12-05 20:40 ` João Távora
2018-12-08 13:23 ` Safety of elisp-flymake-byte-compile (Was Re: [Emacs-diffs] scratch/allow-custom-load-paths) João Távora
2018-12-08 15:36 ` Stefan Monnier
2018-12-10 0:20 ` João Távora
2018-12-10 2:22 ` Stefan Monnier [this message]
2018-12-10 23:17 ` João Távora
2018-12-11 14:03 ` Stefan Monnier
2018-12-14 12:00 ` João Távora
2018-12-14 12:15 ` Stefan Monnier
2018-12-14 13:09 ` João Távora
2018-12-14 13:27 ` Stefan Monnier
2018-12-14 13:38 ` João Távora
2018-12-14 14:13 ` Stefan Monnier
2018-12-11 19:30 ` Sandboxing (was: Safety of elisp-flymake-byte-compile) Stefan Monnier
2018-12-14 1:35 ` Sandboxing João Távora
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=jwv1s6qcfc2.fsf-monnier+emacsdiffs@gnu.org \
--to=monnier@iro.umontreal.ca \
--cc=emacs-devel@gnu.org \
--cc=joaotavora@gmail.com \
--cc=rgm@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).