Re: Writing libraries for C programs using Guile Scheme

[Mateusz Kowalczyk]

On 07/03/14 16:30, Mateusz Kowalczyk wrote:
> On 07/03/14 08:22, Peter TB Brett wrote:
>> Hi all,
>>
>> Recently, there have been some really horrible programming errors found in
>> widely-used and security-critical libraries (GnuTLS, for example).
>>
>> These libraries are usually written in C because C is a "lowest common
>> denominator": if a library is written in C, almost every language will be
>> able to access its functions somehow (for example, in Guile we can use the
>> dynamic FFI).
>>
>> I've now realised that it would be *really awesome* to be able to write
>> some code in Scheme, and automatically generate a .so file (or DLL) and a C
>> header file that I could then easily (and safely) use in other programs
>> without any special handling (including via Guile's FFI).  I think it would
>> be much easier to avoid some of these recent stupid "goto fail;" bugs if we
>> were writing in Scheme.
> 
> I doubt that going from a single inherently unsafe but bloody fast
> language to slightly less unsafe but much slower language is an
> advantage here…
> 
>>
>> It seems to me that most of the things needed for this are already in
>> place, although at some performance cost and probably some restrictions in
>> the sort of programs that can be written in this way:
>>
>> - Guile can already pack bytecode into ELF object files.
>> - Andy Wingo has demonstrated generation of simple native code from Guile
>> (compost!).
>> - libguile provides the infrastructure needed to load and run Guile
>> bytecode, and we can get the dynamic linker to pull it in.
>>
>> So what's needed?  I've had a few ideas for how this could work. Each
>> function exported by the library needs to have a native code stub in the
>> ELF .text section, which:
>>
>> a. Puts the thread into Guile mode
>> b. Marshals the corresponding Scheme function
>> c. Deals with uncaught exceptions - probably with SIGABRT.
>> d. Asserts that the return value from the Scheme function is a pure foreign
>> type
>> e. Leaves Guile mode
>> f. Returns
>>
>> Unfortunately I'm sure that I've missed some important bits (for example,
>> thread safety & reentrancy), and I *certainly* don't have enough low-level
>> Guile knowledge to make this work.  So I'd be very interested to hear what
>> people think about this idea.
>>
>> Best wishes,
>>
>> Peter
>>
> 
> Do you feel like you can provide correctness proofs for your
> implementations of such security critical libraries? Scheme isn't
> exactly the safest language.
> 

I should also add that you'd also have to show that the generated object
files reflect the behaviour properly.

I don't mean to sound as negative as I probably am but I'd hate to see a
broken security-critical library which offers nothing but ‘hey we get to
re-write the existing thing in our favourite dialect except slower,
clunkier to use and with new bugs!’.

-- 
Mateusz K.