[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: RFC: (ice-9 sandbox)
From: |
Andy Wingo |
Subject: |
Re: RFC: (ice-9 sandbox) |
Date: |
Fri, 31 Mar 2017 18:26:39 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
On Fri 31 Mar 2017 13:33, address@hidden (Ludovic Courtès) writes:
> Andy Wingo <address@hidden> skribis:
>
> The allocations that trigger ‘after-gc-hook’ could be caused by a
> separate thread, right? That’s probably an acceptable limitation, but
> one to be aware of.
Ah yes, we should document this. Sadly we just don't have very good
metrics here.
> Also, if the code does:
>
> (make-bytevector (expt 2 32))
>
> then ‘after-gc-hook’ run too late, as the comment notes.
Yep.
> IIUC ‘@@’ in unavailable in the returned module, right?
Correct. You could put it there but that's a bad ideal.
> Isn’t make-fresh-user-module + purify-module! equivalent to just
> (make-module)?
No, beautify-user-module! does a few more things too. I was thinking
that we would want to be able to work on the public interface of the
module so I wanted to make sure it was there but in retrospect we don't
need it and can probably simplify things I guess.
>> ;; These can only form part of a safe binding set if no mutable
>> ;; pair is exposed to the sandbox.
>> (define *mutating-pair-bindings*
>> '(((guile)
>> set-car!
>> set-cdr!)))
>
> When used on a literal pair (mapped read-only), these can cause a
> segfault. Now since the code is ‘eval’d, the only literal pairs it can
> see are those passed by the caller I suppose, so this may be safe?
Who knows. I mean vector-set! can also cause segfaults. I think we
should fix that situation to throw an exception.
>> (define *all-pure-and-impure-bindings*
>> (append *all-pure-bindings*
>
> Last but not least: why all the stars? :-)
> I’m used to ‘%something’.
For me I read % as being pronounced "sys" and indicating internal
bindings. Why do you use it for globals? Is it your proposal that we
use it for globals?
Andy