[Vm-dev] Re: [Pharo-project] how to change the default size of
the Pharo host windows?
Andreas Raab
andreas.raab at gmx.de
Wed May 19 04:16:11 UTC 2010
On 5/18/2010 7:41 PM, Igor Stasenko wrote:
> On 19 May 2010 04:38, Andreas Raab<andreas.raab at gmx.de> wrote:
>> And of course, when the very same people who have no clue about C and memory
>> management corrupt their heap by the use of the FFI you get these complaints
>> about how 'unstable' the system is. How very ironic.
>
> That's not ironic. That's plain stupid.
> If people using FFI, and don't realizing what is 'direct memory
> access', and all consequences
> of it, then you will simply waste your time arguing with them about
> 'safety', whatever meaning they putting in it.
>
> But i doubt you'll find such people. The point is, that there always
> should be a wrapping layer,
> written either in form of plugin or using FFI , which provides such safety.
See, this is where you're wrong. These problems are never *that* simple.
If the stuff just crashes it'd be trivial to find. It's like concurrency
bugs - when they're outright broken they're usually broken in 'easy'
ways. However, the problems often show in forms where the system crashes
unreproducibly two days before ship date. And the only way to work
through this stuff is by proving yourself that the problem can't be here
or there and to narrow it down to a place where you have a chance to
find it.
To give an example, for a long time we had apparently random VM crashes
due to using vertex arrays in OpenGL. The code was as simple as one
could think; just pushing the gl[Vertex|Color|Normal]Pointers into the
context and call glDrawArrays. We found that this would crash because
(as the name implies) the state is 'client' state and the GL actually
keeps a pointer to the data. So if the operations would be interrupted
by a process switch, if that process would cause a (full) GC, and if
that GC would collect enough data to free that memory region, then and
only then it would crash. This is how these problems show; there's
nothing outright 'stupid' about it. BTW, the solution: Moving the entire
operation into a plugin so that all of it is atomic.
>> In any case, my definition of 'safety' is not the same you're implying
>> above. It mostly relates to memory safety.
>>
>> BTW, many of the sticky points you're mentioning could be fixed by having a
>> 'panic' button for the VM that simply suspends all processes and fires up a
>> single new process to listen on a port and take commands. SSH into the image
>> and you can see what you can repair. And yet again, it's the VM that
>> provides the way out here because your in-image handling of the panic button
>> could already be compromised.
>>
> panic button won't help if you do
> Array setFormat: 88888. or Object become: nil.
Sure. I never said there'd be perfect safety. There's no such thing. But
that doesn't mean you shouldn't try to improve things. And a panic
button could make many situations much less problematic than they are
today. But the point here really is that by having the VM, instead of
the image, do that, you get a level of indirection that can help fixing
the broken parts.
> So, i'd rather focus on a such design, where direct manipulation with
> critical parts
> of environment is sufficiently guarded against fools, by using safety
> wrappers or
> multi-level capability-based mechanisms.
If you know how to use that to ensure that you're not dereferencing an
invalid pointer I'm all ears. Seriously. If there's a safe way to use
that stuff I'd love to use it.
I should also point out that there *are* ways to do that safely. It
depends on whether the thing you're talking to is memory safe or not. In
our products we ship a Python bridge where you talk from Squeak to
Python and back. That bridge is safe and I have no problems exposing it
because it's objects on either end. You never get your hands on a
'pointer' you only get our hands on a Python object in Squeak or a
Squeak object in Python that you can send messages to. Since Python is
GCed as well the bridge comes down to a bit of mapping between Squeak
and Python objects and after that's it's a complete and open
free-for-all (incl. callbacks, error propagation and more).
I'm completely game for a similar bridge to Java or .NET or any other
memory safe object system. It's that memory unsafe stuff that I object to.
> If you would ask me, how one could use smalltalk for scripting , then
> first thing, what we should do
> is to change VM to be a dynamically loadable library, with nice and
> consistent API.
Yes, indeed. When I wrote the bridge it was quite an eye opener. Both
sides provide the same basic stuff, but what a difference in the
interface! Clearly, the Python folks designed theirs to be used from
C/C++ and clearly, we didn't ;-)
Cheers,
- Andreas
More information about the Vm-dev
mailing list