From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Philipp Stephani Newsgroups: gmane.emacs.devel Subject: Re: Dynamic modules: MODULE_HANDLE_SIGNALS etc. Date: Mon, 21 Dec 2015 20:15:43 +0000 Message-ID: References: <83mvu1x6t3.fsf@gnu.org> <565779CD.80405@cs.ucla.edu> <83io4nuc68.fsf@gnu.org> <83r3iht93x.fsf@gnu.org> <838u4psznr.fsf@gnu.org> <56772054.8010401@cs.ucla.edu> <83zix4scgf.fsf@gnu.org> <5677DBC9.6030307@cs.ucla.edu> <83io3rst2r.fsf@gnu.org> <567841A6.4090408@cs.ucla.edu> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=047d7bb03aaeed3b0805276e2743 X-Trace: ger.gmane.org 1450728981 18690 80.91.229.3 (21 Dec 2015 20:16:21 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 21 Dec 2015 20:16:21 +0000 (UTC) Cc: aurelien.aptel+emacs@gmail.com, tzz@lifelogs.com, dancol@dancol.org, emacs-devel@gnu.org To: Paul Eggert , Eli Zaretskii Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Dec 21 21:16:20 2015 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1aB6sT-0002Mw-GT for ged-emacs-devel@m.gmane.org; Mon, 21 Dec 2015 21:16:17 +0100 Original-Received: from localhost ([::1]:47129 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aB6sP-0003rR-KC for ged-emacs-devel@m.gmane.org; Mon, 21 Dec 2015 15:16:13 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:43544) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aB6sA-0003rK-Hb for emacs-devel@gnu.org; Mon, 21 Dec 2015 15:16:00 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aB6s8-0003Vr-T7 for emacs-devel@gnu.org; Mon, 21 Dec 2015 15:15:58 -0500 Original-Received: from mail-wm0-x22c.google.com ([2a00:1450:400c:c09::22c]:34818) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aB6s6-0003VX-De; Mon, 21 Dec 2015 15:15:54 -0500 Original-Received: by mail-wm0-x22c.google.com with SMTP id l126so84136925wml.0; Mon, 21 Dec 2015 12:15:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=TIvX+OOZAp17gRZFdvh/9uywIxS6YOcorg2u+PjhCFs=; b=QmgTCIhZpZD6zeVehSI0CJPe3axqlrCCAlSXcddwnbity1A5rG2OTvIVaIFwEECcRj tYtTWAUqiEUhNVegMzTz4mc4z5L+nxXanAixxjMGYS23hno8TZb7vXVuyYMByPcZ9ZXl 4WeeNRGkBiyV/jB6XGpqNkof/WVuDRv0ey3GlSj/BnGTq12WjCu8o5byO7btrfLZVOMh YrJ3NMQLPAn5DgGoFeOx/rOVGxR7h85jSTLSt2Er6r7fLdcSFtvhuESz9dOeDw3mifd7 RAxmTIp1uQDxnz/8z3whEhqlUSK0DGh7bus82bPU7sD3p1FoBjqHFM8gK101tr4Z1Pyw YqIg== X-Received: by 10.194.94.232 with SMTP id df8mr10323281wjb.25.1450728953295; Mon, 21 Dec 2015 12:15:53 -0800 (PST) In-Reply-To: <567841A6.4090408@cs.ucla.edu> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2a00:1450:400c:c09::22c X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:196627 Archived-At: --047d7bb03aaeed3b0805276e2743 Content-Type: text/plain; charset=UTF-8 Paul Eggert schrieb am Mo., 21. Dez. 2015 um 19:15 Uhr: > Eli Zaretskii wrote: > > > Are you > > now saying something different from what you said back then, i.e. that > > we cannot rely on any function/macro from lisp.h to be signal-safe? > > Yes and no. As I understood it, that old conversation was about functions > that > explicitly signal or throw, and it's safe to assume that EQ, NILP, etc. > won't do > that. The new conversation is about running out of memory, which is a > different > form of non-local exit. There may be other forms, such as operating-system > signals (I don't recall exactly). > My comment was meant to refer only to signals and throws (i.e. the constructs described in https://www.gnu.org/software/emacs/manual/html_node/elisp/Nonlocal-Exits.html ). > > > If so, we should add the necessary protection, in the form of calls to > > MODULE_FUNCTION_BEGIN, to emacs-module.c functions that until now > > relied on those lisp.h functions/macros to be safe. > > This wouldn't suffice for these other non-local exits, I think; at least, > not as > currently constructed. > I don't see how such a protection could be written at all. The stack overflow handler seems to be fixed. > > > AFAIK, proper C++ exception handling > > requires non-trivial amounts of stack space that is not available when > > there's stack overflow, where you have at most a single guard page to > > work with. > > There should be workarounds for that. Surely the C++ community has run > into this > problem and has solutions. If we want to support C++ modules, we need to > employ > them. > The solution in C++ is simple: don't use longjmp/setjmp, and write only trivial signal handlers (that only set a flag), or use signal fds etc. I don't think C++ programs regularly try to catch stack overflows; such an attempt would almost guarantee undefined behavior, so crashing is more appropriate. > > > I think there is some misunderstanding here, or some confusion, > > perhaps mine: emacs-module.c is not supposed to deal with any C++ > > exceptions. C++ exceptions are supposed to be caught at the C++ > > level, below emacs-module.c, and handled there. An exception that > > isn't caught will be recorded and will cause all the subsequent calls > > to Lisp or to emacs-module.c function to fail, > > Why bother? If C++ exceptions are supposed to be caught by the C++ module > in > question, why does Emacs need to worry about C++ exceptions that are not > caught? > It doesn't, in fact due to noexcept it is impossible to throw exceptions across the module interface (and any C++ module had better install a catch-all handler to avoid crashes). > > > What emacs-module.c does with non-local exits of _any_ kind is record > > the first occurrence of such an exit, and silently return to the > > caller, thus allowing the C++ objects on the stack to be destroyed > > normally. IOW, it defers the exit until internal--module-call is > > about to return. What problems do you see with that which cause you > > to think it's error-prone, let alone dysfunctional? > > It uses a different model at the C level from what one sees in Elisp, or > from > what one normally sees in C for that matter. I don't feel that I will > really > understand the model unless I see some actual modules that do function > calls and > exception handling; but it's hard to believe that a model that does silent > returns and that defers returns until later and that records some returns > but > not others will be problem-free. Wouldn't it be simpler to have a module > invoke > analogs of 'condition-case' and/or 'catch', and to dispense with the > funcall_exit stuff? > Please see the countless discussions on this topic, starting in February (!) with Daniel's original design: https://lists.gnu.org/archive/html/emacs-devel/2015-02/msg00960.html https://lists.gnu.org/archive/html/emacs-devel/2015-09/msg00548.html https://lists.gnu.org/archive/html/emacs-devel/2015-09/msg00545.html https://lists.gnu.org/archive/html/emacs-devel/2015-10/msg00416.html https://lists.gnu.org/archive/html/emacs-devel/2015-11/msg02159.html --047d7bb03aaeed3b0805276e2743 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


Paul E= ggert <eggert@cs.ucla.edu> = schrieb am Mo., 21. Dez. 2015 um 19:15=C2=A0Uhr:
Eli Zaretskii wrote:

> Are you
> now saying something different from what you said back then, i.e. that=
> we cannot rely on any function/macro from lisp.h to be signal-safe?
Yes and no. As I understood it, that old conversation was about functions t= hat
explicitly signal or throw, and it's safe to assume that EQ, NILP, etc.= won't do
that. The new conversation is about running out of memory, which is a diffe= rent
form of non-local exit. There may be other forms, such as operating-system<= br> signals (I don't recall exactly).

M= y comment was meant to refer only to signals and throws (i.e. the construct= s described in=C2=A0https://www.gnu.org/software/emacs/manua= l/html_node/elisp/Nonlocal-Exits.html).
=C2=A0

> If so, we should add the necessary protection, in the form of calls to=
> MODULE_FUNCTION_BEGIN, to emacs-module.c functions that until now
> relied on those lisp.h functions/macros to be safe.

This wouldn't suffice for these other non-local exits, I think; at leas= t, not as
currently constructed.

I don't see = how such a protection could be written at all. The stack overflow handler s= eems to be fixed.
=C2=A0

> AFAIK, proper C++ exception handling
> requires non-trivial amounts of stack space that is not available when=
> there's stack overflow, where you have at most a single guard page= to
> work with.

There should be workarounds for that. Surely the C++ community has run into= this
problem and has solutions. If we want to support C++ modules, we need to em= ploy
them.

The solution in C++ is simple: do= n't use longjmp/setjmp, and write only trivial signal handlers (that on= ly set a flag), or use signal fds etc. I don't think C++ programs regul= arly try to catch stack overflows; such an attempt would almost guarantee u= ndefined behavior, so crashing is more appropriate.
=C2=A0
<= blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px= #ccc solid;padding-left:1ex">
> I think there is some misunderstanding here, or some confusion,
> perhaps mine: emacs-module.c is not supposed to deal with any C++
> exceptions.=C2=A0 C++ exceptions are supposed to be caught at the C++<= br> > level, below emacs-module.c, and handled there.=C2=A0 An exception tha= t
> isn't caught will be recorded and will cause all the subsequent ca= lls
> to Lisp or to emacs-module.c function to fail,

Why bother? If C++ exceptions are supposed to be caught by the C++ module i= n
question, why does Emacs need to worry about C++ exceptions that are not ca= ught?

It doesn't, in fact due to no= except it is impossible to throw exceptions across the module interface (an= d any C++ module had better install a catch-all handler to avoid crashes).<= /div>
=C2=A0

> What emacs-module.c does with non-local exits of _any_ kind is record<= br> > the first occurrence of such an exit, and silently return to the
> caller, thus allowing the C++ objects on the stack to be destroyed
> normally.=C2=A0 IOW, it defers the exit until internal--module-call is=
> about to return.=C2=A0 What problems do you see with that which cause = you
> to think it's error-prone, let alone dysfunctional?

It uses a different model at the C level from what one sees in Elisp, or fr= om
what one normally sees in C for that matter.=C2=A0 I don't feel that I = will really
understand the model unless I see some actual modules that do function call= s and
exception handling; but it's hard to believe that a model that does sil= ent
returns and that defers returns until later and that records some returns b= ut
not others will be problem-free. Wouldn't it be simpler to have a modul= e invoke
analogs of 'condition-case' and/or 'catch', and to dispense= with the
funcall_exit stuff?

Please see the coun= tless discussions on this topic, starting in February (!) with Daniel's= original design:
--047d7bb03aaeed3b0805276e2743--