June 28, 2021

On Monday, 28 June 2021 at 11:39:27 UTC, SealabJaster wrote:

>

Slightly related, but I was recently learning how to implement coroutines myself and it was crashing because MSCV's printf allocates a rather large buffer on the stack. Can't remember the exact size, but I'm pretty sure it was at least 4K.

So in other words, you can't prove it for foreign functions I believe.

printf and conversion functions are usually a typical example of functions that use large buffers on the stack. There is usually no problem with this as rich OSes have plenty of virtual stack space. If this wasn't allowed you would need to dynamically allocate memory of every printf call if not several depending what you print. This would slow down the printing function and another problem for embedded systems/systems programming is that you might want to print something before malloc/free are initialized.

Big buffers on the stack is not always because the programmer is an amateur.

June 28, 2021

On 6/27/21 2:56 PM, IGotD- wrote:

>

This is a breakout thread from this thread.

https://forum.dlang.org/thread/ghodronzxeirokyoqeag@forum.dlang.org

According to the comment from Walter.

As per Walter's recent comment in that thread, he asserts that stack allocations beyond 4k should be rejected.

in this issue:
https://issues.dlang.org/show_bug.cgi?id=17566

In general I can agree with the rationale to not allow stack frames larger than 4K when it comes to normal programming, it makes sense. However, since D is supposed to be a "systems programming language" the language should not dictate what the programmer should be able to do with the stack. It also assumes things that all systems have 4K page sizes, that the stack should be used moderately. There might be cases when the programmer wants to go nuts with stack and do a lot storage on it, for whatever reason. Therefore I think this limit should not be a language definition.

First this 4K limit should be configurable per operating system. Also there should be an option to override this limit, for example with a compiler option.

Could this be fixed by not allowing uninitialized stack segments larger than 4k? Basically, if you can't create a stack which contains a contiguous 4k of uninitialized space, then you can't skip over the guard page.

void-initialized data is pretty rare in D.

-Steve

June 28, 2021

On Monday, 28 June 2021 at 12:41:20 UTC, Steven Schveighoffer wrote:

>

Could this be fixed by not allowing uninitialized stack segments larger than 4k? Basically, if you can't create a stack which contains a contiguous 4k of uninitialized space, then you can't skip over the guard page.

void-initialized data is pretty rare in D.

-Steve

Why? When you decide not to initialize you also surpass the safety benefits of initialized values.

June 28, 2021

On 6/28/21 9:09 AM, IGotD- wrote:

>

On Monday, 28 June 2021 at 12:41:20 UTC, Steven Schveighoffer wrote:

>

Could this be fixed by not allowing uninitialized stack segments larger than 4k? Basically, if you can't create a stack which contains a contiguous 4k of uninitialized space, then you can't skip over the guard page.

void-initialized data is pretty rare in D.

Why? When you decide not to initialize you also surpass the safety benefits of initialized values.

The point is to ensure the guard page is triggered. This is not about the safety of initialized values. It's about making sure the stack pointer stays sane. I don't know about you, but I don't want to start having to worry about stack pointer correctness, even in system code.

This would be like saying null pointer dereferences only trigger a segfault in safe code, so now all system code that doesn't want to corrupt some mmapped data at the null page must first check that a pointer is not null before using. It's nonsense.

-Steve

June 28, 2021

On Monday, 28 June 2021 at 14:01:50 UTC, Steven Schveighoffer wrote:

>

The point is to ensure the guard page is triggered. This is not about the safety of initialized values. It's about making sure the stack pointer stays sane. I don't know about you, but I don't want to start having to worry about stack pointer correctness, even in system code.

This would be like saying null pointer dereferences only trigger a segfault in safe code, so now all system code that doesn't want to corrupt some mmapped data at the null page must first check that a pointer is not null before using. It's nonsense.

-Steve

If you want stack overflow safety for whatever reason, then you should do proper bounds checking for each frame. I consider the 4K limitation and poking stack pages ahead to be just hacks.

June 28, 2021

On Monday, 28 June 2021 at 14:01:50 UTC, Steven Schveighoffer wrote:

>

This would be like saying null pointer dereferences only trigger a segfault in safe code, so now all system code that doesn't want to corrupt some mmapped data at the null page must first check that a pointer is not null before using. It's nonsense.

Trapping page 0 is not foolproof. For instance if you have a pointer to a static array, you could easily be outside the range that will trap. Not all hardware can trap page 0 either. So you do end up with a solution that works often, but not always. But for stacks specifically, there is nothing that prevents you from having multiple guard pages.

Just make it user configurable: min stack depth, max stack depth, number of guard pages.

June 28, 2021

On Monday, 28 June 2021 at 14:40:12 UTC, IGotD- wrote:

>

I consider the 4K limitation and poking stack pages ahead to be just hacks.

Ditto. D shouldn't become a vendor.

June 28, 2021
On 6/28/2021 3:05 AM, ag0aep6g wrote:
> DMD does not emit stack probes. If it did, issue 17566 (and this forum thread) wouldn't exist.


https://github.com/dlang/dmd/blob/master/src/dmd/backend/cod3.d#L3599
June 29, 2021
On 28.06.21 21:34, Walter Bright wrote:
> https://github.com/dlang/dmd/blob/master/src/dmd/backend/cod3.d#L3599

From there:

----
if (config.exe & (EX_LINUX | EX_LINUX64))
        check = false;               // seems that Linux doesn't need to fault in stack pages
----

Looks like it's not done on Linux.

You might be able to fix issue 17566 by actually enabling that code.
June 29, 2021

On Sunday, 27 June 2021 at 18:56:57 UTC, IGotD- wrote:

>

This is a breakout thread from this thread.

https://forum.dlang.org/thread/ghodronzxeirokyoqeag@forum.dlang.org

According to the comment from Walter.

As per Walter's recent comment in that thread, he asserts that stack allocations beyond 4k should be rejected.

in this issue:
https://issues.dlang.org/show_bug.cgi?id=17566

I recall that Pascal debug builds added manual checks for stack overflow. This was especially necessary in real mode, where a stack overflow would just crash the PC. I don't see why D couldn't do the same. It would be useful in protected mode with small variables too, as it would allow generating a normal D exception instead of a segmentation fault.