Paul Eggert <address@hidden
> schrieb am Mo., 21. Dez. 2015 um 19:15 Uhr:
Eli Zaretskii wrote:
> Are you
> now saying something different from what you said back then, i.e. that
> we cannot rely on any function/macro from lisp.h to be signal-safe?
Yes and no. As I understood it, that old conversation was about functions that
explicitly signal or throw, and it's safe to assume that EQ, NILP, etc. won't do
that. The new conversation is about running out of memory, which is a different
form of non-local exit. There may be other forms, such as operating-system
signals (I don't recall exactly).
> If so, we should add the necessary protection, in the form of calls to
> MODULE_FUNCTION_BEGIN, to emacs-module.c functions that until now
> relied on those lisp.h functions/macros to be safe.
This wouldn't suffice for these other non-local exits, I think; at least, not as
I don't see how such a protection could be written at all. The stack overflow handler seems to be fixed.
> AFAIK, proper C++ exception handling
> requires non-trivial amounts of stack space that is not available when
> there's stack overflow, where you have at most a single guard page to
> work with.
There should be workarounds for that. Surely the C++ community has run into this
problem and has solutions. If we want to support C++ modules, we need to employ
The solution in C++ is simple: don't use longjmp/setjmp, and write only trivial signal handlers (that only set a flag), or use signal fds etc. I don't think C++ programs regularly try to catch stack overflows; such an attempt would almost guarantee undefined behavior, so crashing is more appropriate.
> I think there is some misunderstanding here, or some confusion,
> perhaps mine: emacs-module.c is not supposed to deal with any C++
> exceptions. C++ exceptions are supposed to be caught at the C++
> level, below emacs-module.c, and handled there. An exception that
> isn't caught will be recorded and will cause all the subsequent calls
> to Lisp or to emacs-module.c function to fail,
Why bother? If C++ exceptions are supposed to be caught by the C++ module in
question, why does Emacs need to worry about C++ exceptions that are not caught?
It doesn't, in fact due to noexcept it is impossible to throw exceptions across the module interface (and any C++ module had better install a catch-all handler to avoid crashes).
> What emacs-module.c does with non-local exits of _any_ kind is record
> the first occurrence of such an exit, and silently return to the
> caller, thus allowing the C++ objects on the stack to be destroyed
> normally. IOW, it defers the exit until internal--module-call is
> about to return. What problems do you see with that which cause you
> to think it's error-prone, let alone dysfunctional?
It uses a different model at the C level from what one sees in Elisp, or from
what one normally sees in C for that matter. I don't feel that I will really
understand the model unless I see some actual modules that do function calls and
exception handling; but it's hard to believe that a model that does silent
returns and that defers returns until later and that records some returns but
not others will be problem-free. Wouldn't it be simpler to have a module invoke
analogs of 'condition-case' and/or 'catch', and to dispense with the
Please see the countless discussions on this topic, starting in February (!) with Daniel's original design: