[M3devel] SEGV mapping to RuntimeError

Jay K jay.krell at cornell.edu
Sun Feb 20 07:36:12 CET 2011


 - You can't get SIGSEGV w/o memory protection. SIGSEGV is generated by hardware.
 
 - Untrusted code should not be run in-process, at least unsafe untrusted code.
 
 - I don't have to reboot my computer for SIGSEGV, but individual processes are killed.
   The damage is contained as soon as it is detected. The nice thing about safe languages
    is the error is caught just before any damage is caused, i.e. array bounds checking.
 
 - Jay

 
> To: jay.krell at cornell.edu
> Date: Sat, 19 Feb 2011 17:51:07 -0800
> From: mika at async.caltech.edu
> CC: m3devel at elegosoft.com
> Subject: Re: [M3devel] SEGV mapping to RuntimeError
> 
> >But SIGSEGV I think is in another realm. It is a sign of problems that shou=
> >ld generally
> >be ignored.
> >There is a term "fail fast" -- at a sign of problem=2C fail. Don't press on=
> >.
> >There are arguments either way.
> >The world=2C really=2C the larger human enterprise and setting=2C is not fa=
> >il fast.
> >We have lots of problems=2C yet almost everything almost always goes on.
> 
> Well, see, when you're using a Lisp interpreter, SIGSEGV in called
> code is not in another realm (this is my problem). It is also not
> in another realm if you are implementing an operating system without
> hardware memory protection (e.g., SPIN) or if you're running untrusted
> outside code in a "sandbox" (which you CAN build with Modula-3, again
> without memory protection). How would you like it if you had to reboot
> your computer every time you dereferenced a null pointer? Sounds a bit
> like the 1950s doesn't it? Why should I have to restart my Lisp
> interpreter if I slip on the keyboard?
> 
> These are things you would never dream of doing in C but that Modula-3
> is eminently suited for doing. For precisely these sorts of purposes,
> there's a big distinction designed into the language between failures
> in "safe" code (which mean just that the code failed) and failures in
> "unsafe" code (which mean that the world ended).
> 
> If you're not doing any of the special things listed above you're free
> not to catch RuntimeError.E, in which case your program will crash on
> an uncaught exception if it receives a SIGSEGV.
> 
> 
> >I just don't think because the Green Book says something=2C or because it i=
> >s inherent in the
> >design=2C that is necessarily true or inherent in the implementation.
> >There are bugs *everywhere*=2C and they gradually chip away at all aspects =
> >of correctness.
> 
> Dijkstra teaches that one should code to the specification. Coding to
> the implementation is a sure path to losing one's mind.
> 
> Mika
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://m3lists.elegosoft.com/pipermail/m3devel/attachments/20110220/dc8c3a7f/attachment-0002.html>


More information about the M3devel mailing list