From: Daniel Colascione <dancol@dancol.org>
To: Eli Zaretskii <eliz@gnu.org>
Cc: aurelien.aptel+emacs@gmail.com, p.stephani2@gmail.com,
eggert@cs.ucla.edu, tzz@lifelogs.com, emacs-devel@gnu.org
Subject: Re: Dynamic modules: MODULE_HANDLE_SIGNALS etc.
Date: Tue, 22 Dec 2015 12:31:58 -0800 [thread overview]
Message-ID: <5679B33E.9000804@dancol.org> (raw)
In-Reply-To: <83oadiqxq1.fsf@gnu.org>
[-- Attachment #1: Type: text/plain, Size: 3703 bytes --]
On 12/22/2015 08:01 AM, Eli Zaretskii wrote:
>> Cc: aurelien.aptel+emacs@gmail.com, p.stephani2@gmail.com, tzz@lifelogs.com,
>> emacs-devel@gnu.org
>> From: Daniel Colascione <dancol@dancol.org>
>> Date: Mon, 21 Dec 2015 20:38:07 -0800
>>
>> Right now, when we get a SIGSEGV, we check the siginfo_t the OS gives us
>> by calling stack_overflow on it; if that returns true, we longjmp to
>> toplevel. We configure the sigsegv handler to run on an alternate stack,
>> so we'll always have space to do that much work. The longjmp restores
>> the original stack. On the other side of the longjmp, we resume
>> execution with our regular stack, but much further up the stack. At this
>> point, we know we have a stack overflow, because nothing else longjmps
>> to return_to_command_loop.
>>
>> Now, if we return normally to a C++ caller with an error indication set,
>> the C++ caller will almost certainly have enough stack space to throw
>> its own exception and propagate the exception further.
>
> I very much doubt that. The alternate stack is quite small (AFAIK,
> the standard value that we are using, SIGSTKSZ, is something like
> 8KB). Running arbitrary C++ code on such a small stack is not safe.
> (My understanding is that the value of SIGSTKSZ should suffice for
> calling printf, and that's about it.) There will be high risk of
> hitting yet another stack overflow, this time a fatal one.
We're not talking about running arbitrary C++ code on the small stack.
The longjmp transfers execution to the original stack, but with the
context popped off.
Overflow stack: A B C D E F G
Signal stack: 1 2 3 longjmp
Resumption stack: A B C
>
>> unwind_to_catch isn't really very different from the longmp to
>> return_to_command_loop: I don't see any reason we can't run it on the
>> alternate signal stack. In fact, I don't see why we can't replace
>> return_to_command_loop generally with Fsignal.
>
> See above: I think running arbitrary Lisp code on a 8KB stack is even
> less safe that with C++ code. We avoid doing that for a good reason.
> Let me remind you that Emacs on Windows sets up a 8MB stack (as
> opposed to the standard 2MB) because it is necessary in some
> situations, like matching some regexps. 8MB, not 8KB! A Lisp unwind
> handler can do anything at all, so I think running the unwinding code
> from a stack overflow is not an option, if we want to make sure stack
> overflow recovery will not hit another fatal stack overflow in most
> cases.
>
>> I really don't like the stack overflow protection stuff in general
>> though. It's not possible to robustly recover, because the stack
>> overflow detection turns *any* function call into an operation that
>> might return non-locally. In that environment --- where, say, XCAR might
>> end up running lisp --- it's hard to maintain invariants.
>
> It might be less than nice or elegant, but Emacs should give the user
> an opportunity to save their work.
>
>> I'd rather Emacs just die on C stack overflow, except when we know
>> we're running Lisp in such a way that we know we can recover.
>
> You are in effect saying the stack overflow recovery code should not
> have been added to Emacs. But we already decided that an attempt to
> recover is a useful feature, and I see no reason to go back. Even if
> this is works only in some cases, partial recovery is better than a
> hard crash, because it lets users save their work.
Or it actually corrupts their work, because the Emacs core is in a bad
state. We can gracefully recover from stack overflow of Lisp code. We
cannot recover from stack oveflow at arbitrary points in the C core.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
next prev parent reply other threads:[~2015-12-22 20:31 UTC|newest]
Thread overview: 177+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-25 18:39 Dynamic modules: MODULE_HANDLE_SIGNALS etc Eli Zaretskii
2015-11-25 18:50 ` Philipp Stephani
2015-11-25 19:24 ` Eli Zaretskii
2015-11-26 21:29 ` Paul Eggert
2015-11-27 7:35 ` Eli Zaretskii
2015-11-27 19:19 ` Philipp Stephani
2015-11-28 10:58 ` Philipp Stephani
2015-11-28 12:10 ` Eli Zaretskii
2015-12-19 21:03 ` Philipp Stephani
2015-12-19 22:57 ` Philipp Stephani
2015-12-20 15:47 ` Eli Zaretskii
2015-12-20 18:34 ` Philipp Stephani
2015-12-20 19:11 ` Eli Zaretskii
2015-12-20 21:40 ` Paul Eggert
2015-12-21 3:33 ` Eli Zaretskii
2015-12-21 11:00 ` Paul Eggert
2015-12-21 11:21 ` Yuri Khan
2015-12-21 11:34 ` Paul Eggert
2015-12-21 15:46 ` Eli Zaretskii
2015-12-21 18:15 ` Paul Eggert
2015-12-21 18:28 ` Daniel Colascione
2015-12-21 19:00 ` Eli Zaretskii
2015-12-21 20:19 ` Philipp Stephani
2015-12-21 19:04 ` Eli Zaretskii
2015-12-22 4:09 ` Paul Eggert
2015-12-22 4:38 ` Daniel Colascione
2015-12-22 4:48 ` Paul Eggert
2015-12-22 4:52 ` Daniel Colascione
2015-12-22 6:09 ` Paul Eggert
2015-12-22 6:14 ` Daniel Colascione
2015-12-22 6:33 ` Paul Eggert
2015-12-22 6:35 ` Daniel Colascione
2015-12-22 6:44 ` Paul Eggert
2015-12-22 6:53 ` Daniel Colascione
2015-12-22 16:13 ` Eli Zaretskii
2015-12-22 16:12 ` Eli Zaretskii
2015-12-22 17:26 ` Philipp Stephani
2015-12-22 17:51 ` Eli Zaretskii
2015-12-22 16:03 ` Eli Zaretskii
2015-12-22 16:39 ` Paul Eggert
2015-12-22 17:46 ` Eli Zaretskii
2015-12-22 23:28 ` Paul Eggert
2015-12-23 16:10 ` Eli Zaretskii
2015-12-23 16:20 ` Philipp Stephani
2015-12-23 16:46 ` Eli Zaretskii
2015-12-23 17:09 ` Paul Eggert
2015-12-23 17:18 ` Daniel Colascione
2015-12-24 2:51 ` Paul Eggert
2015-12-24 3:11 ` Daniel Colascione
2015-12-24 16:10 ` Eli Zaretskii
2015-12-24 17:04 ` Daniel Colascione
2015-12-24 17:17 ` John Wiegley
2016-01-03 14:27 ` Daniel Colascione
2016-01-03 15:46 ` Eli Zaretskii
2016-01-03 15:49 ` Daniel Colascione
2016-01-03 16:40 ` Eli Zaretskii
2016-01-03 16:50 ` Daniel Colascione
2016-01-03 17:20 ` Eli Zaretskii
2016-01-03 16:31 ` Paul Eggert
2016-01-03 16:48 ` Daniel Colascione
2016-01-03 18:07 ` Paul Eggert
2016-01-03 18:22 ` Daniel Colascione
2016-01-03 21:02 ` Paul Eggert
2016-01-03 21:12 ` Daniel Colascione
2016-01-03 23:11 ` Paul Eggert
2016-01-03 23:22 ` Daniel Colascione
2016-01-03 23:29 ` John Wiegley
2016-01-04 1:05 ` Paul Eggert
2016-01-04 1:07 ` Daniel Colascione
2016-01-04 15:38 ` Eli Zaretskii
2016-01-04 15:40 ` Daniel Colascione
2016-01-04 16:07 ` Eli Zaretskii
2016-01-04 20:32 ` John Wiegley
2016-01-04 20:34 ` Daniel Colascione
2016-01-04 20:35 ` Daniel Colascione
2016-01-04 22:06 ` John Wiegley
2016-01-04 15:24 ` Eli Zaretskii
2016-01-04 15:28 ` Daniel Colascione
2016-01-04 16:00 ` Eli Zaretskii
2016-01-03 17:16 ` Eli Zaretskii
2016-01-03 17:22 ` Daniel Colascione
2016-01-03 17:39 ` Eli Zaretskii
2016-01-03 17:49 ` Daniel Colascione
2016-01-03 18:08 ` Eli Zaretskii
2016-01-03 18:24 ` Daniel Colascione
2016-01-03 18:51 ` Eli Zaretskii
2016-01-03 19:04 ` Daniel Colascione
2016-01-03 19:15 ` Eli Zaretskii
2016-01-03 19:26 ` Daniel Colascione
2016-01-03 19:46 ` Eli Zaretskii
2016-01-03 19:47 ` Daniel Colascione
2016-01-03 19:49 ` John Wiegley
2016-01-03 20:14 ` Daniel Colascione
2016-01-04 3:17 ` Richard Stallman
2016-01-03 18:17 ` Paul Eggert
2016-01-03 17:43 ` Eli Zaretskii
2016-01-03 20:25 ` John Wiegley
2016-01-03 20:47 ` Daniel Colascione
2016-01-03 21:07 ` John Wiegley
2016-01-03 21:28 ` Daniel Colascione
2016-01-03 21:31 ` Daniel Colascione
2016-01-04 15:27 ` Eli Zaretskii
2016-01-04 15:29 ` Daniel Colascione
2016-01-04 16:01 ` Eli Zaretskii
2016-01-03 21:45 ` John Wiegley
2016-01-03 22:20 ` Daniel Colascione
2016-01-03 22:43 ` Crash recovery strategies (was: Dynamic modules: MODULE_HANDLE_SIGNALS etc.) John Wiegley
2016-01-03 22:55 ` Crash recovery strategies Daniel Colascione
2016-01-03 22:59 ` John Wiegley
2016-01-03 23:04 ` Daniel Colascione
2016-01-03 23:20 ` John Wiegley
2016-01-03 23:47 ` John Wiegley
2016-01-03 23:51 ` Daniel Colascione
2016-01-04 0:12 ` John Wiegley
2016-01-04 15:40 ` Eli Zaretskii
2016-01-04 15:44 ` Daniel Colascione
2016-01-04 15:33 ` Eli Zaretskii
2016-01-04 15:34 ` Daniel Colascione
2016-01-04 16:02 ` Eli Zaretskii
2016-01-03 23:21 ` Paul Eggert
2016-01-03 23:24 ` Daniel Colascione
2016-01-03 23:28 ` John Wiegley
2016-01-04 0:51 ` Paul Eggert
2016-01-03 23:27 ` John Wiegley
2016-01-03 23:29 ` Daniel Colascione
2016-01-03 23:33 ` Sending automatic crash reports to the FSF (was: Crash recovery strategies) John Wiegley
2016-01-03 23:36 ` Sending automatic crash reports to the FSF Daniel Colascione
2016-01-03 23:39 ` John Wiegley
2016-01-03 23:48 ` Daniel Colascione
2016-01-04 1:34 ` Crash recovery strategies Drew Adams
2016-01-04 15:32 ` Crash recovery strategies (was: Dynamic modules: MODULE_HANDLE_SIGNALS etc.) Eli Zaretskii
2016-01-04 15:35 ` Crash recovery strategies Daniel Colascione
2016-01-04 16:04 ` Eli Zaretskii
2016-01-05 4:48 ` Richard Stallman
2016-01-05 15:52 ` Eli Zaretskii
2016-01-05 16:37 ` Clément Pit--Claudel
2016-01-05 17:08 ` Eli Zaretskii
2016-01-05 17:38 ` Clément Pit--Claudel
2016-01-04 15:31 ` Dynamic modules: MODULE_HANDLE_SIGNALS etc Eli Zaretskii
2016-01-04 15:41 ` Daniel Colascione
2016-01-04 16:13 ` Eli Zaretskii
2016-01-04 15:29 ` Eli Zaretskii
2016-01-04 15:26 ` Eli Zaretskii
2015-12-24 17:36 ` Eli Zaretskii
2015-12-24 18:06 ` Daniel Colascione
2015-12-24 19:15 ` Eli Zaretskii
2015-12-22 16:01 ` Eli Zaretskii
2015-12-22 16:32 ` John Wiegley
2015-12-22 20:31 ` Daniel Colascione [this message]
2015-12-22 20:46 ` Eli Zaretskii
2015-12-22 20:52 ` Daniel Colascione
2015-12-22 21:08 ` Eli Zaretskii
2015-12-22 21:18 ` Daniel Colascione
2015-12-23 16:07 ` Eli Zaretskii
2015-12-23 16:25 ` Crash robustness (Was: Re: Dynamic modules: MODULE_HANDLE_SIGNALS etc.) Daniel Colascione
2015-12-23 17:30 ` Eli Zaretskii
2015-12-23 17:41 ` Daniel Colascione
2015-12-23 17:55 ` Eli Zaretskii
2015-12-23 17:56 ` Daniel Colascione
2015-12-23 18:09 ` Eli Zaretskii
2015-12-23 18:19 ` Daniel Colascione
2015-12-23 18:45 ` Eli Zaretskii
2015-12-24 3:26 ` Daniel Colascione
2015-12-21 18:57 ` Dynamic modules: MODULE_HANDLE_SIGNALS etc Eli Zaretskii
2015-12-21 20:15 ` Philipp Stephani
2015-12-20 15:48 ` Eli Zaretskii
2015-12-20 18:27 ` Philipp Stephani
2015-12-20 19:00 ` Eli Zaretskii
2015-12-20 21:00 ` Philipp Stephani
2017-03-26 20:18 ` Philipp Stephani
2016-02-29 22:48 ` Philipp Stephani
2016-03-01 16:41 ` Paul Eggert
2016-03-01 21:43 ` Philipp Stephani
2016-03-02 18:54 ` Paul Eggert
2016-03-31 18:44 ` Philipp Stephani
2016-04-01 8:29 ` Paul Eggert
2015-11-28 23:20 ` Paul Eggert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5679B33E.9000804@dancol.org \
--to=dancol@dancol.org \
--cc=aurelien.aptel+emacs@gmail.com \
--cc=eggert@cs.ucla.edu \
--cc=eliz@gnu.org \
--cc=emacs-devel@gnu.org \
--cc=p.stephani2@gmail.com \
--cc=tzz@lifelogs.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.