| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Clean up how we reclaim local scopes.
It used to work like this (commit 3216):
1. Update refcounts of products after every instruction, EXCEPT:
a) when instruction is a non-primitive and the callee starts with
'local-scope' (because it's already not decremented in 'return')
OR:
b) when instruction is primitive 'next-ingredient' or
'next-ingredient-without-typechecking', and its result is saved to a
variable in the default space (because it's already incremented at
the time of the call)
2. If a function starts with 'local-scope', force it to be reclaimed
before each return. However, since locals may be returned, *very
carefully* don't reclaim those. (See the logic in the old `escaping`
and `should_update_refcount` functions.)
However, this approach had issues. We needed two separate commands for
'local-scope' (reclaim locals on exit) and 'new-default-space'
(programmer takes charge of reclaiming locals). The hard-coded
reclamation duplicated refcounting logic. In addition to adding
complexity, this implementation failed to work if a function overwrites
default-space after setting up a local-scope (the old default-space is
leaked). It also fails in the presence of continuations. Calling a
continuation more than once was guaranteed to corrupt memory (commit
3986).
After this commit, reclaiming local scopes now works like this:
Update refcounts of products for every PRIMITIVE instruction.
For non-primitive instructions, all the work happens in the `return`
instruction:
increment refcount of ingredients to `return`
(unless -- one last bit of ugliness -- they aren't saved in the
caller)
decrement the refcount of the default-space
use existing infrastructure for reclaiming as necessary
if reclaiming default-space, first decrement refcount of each
local
again, use existing infrastructure for reclaiming as necessary
This commit (finally!) completes the bulk[1] of step 2 of the plan in
commit 3991. It was very hard until I gave up trying to tweak the
existing implementation and just test-drove layer 43 from scratch.
[1] There's still potential for memory corruption if we abuse
`default-space`. I should probably try to add warnings about that at
some point (todo in layer 45).
|
|
|
|
|
|
|
| |
Follow-up to commit 3993: deep-copy needs to also ignore screen and
console objects. Basically channels and any fake objects passed into
tests. (The real ones will be null, which will work fine thanks to the
bugfix of commit 3996.)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fully isolate routines from their arguments.
I still need exceptions for containers that are *designed* to be
shared between routines. The primary such case is channels; we need some
way to share them between routines, and if we deep-copy them that
defeats their entire purpose.
A milder case is the use of fake file-systems in tests, though that's a
hint that there'll be more of these as the OS gets more fleshed out. The
pattern seems to be that we need to not deep-copy containers that
contain lock fields, and so their operations internally do their own
locking.
We may have to stop hard-coding the list of exceptions and allow people
to define new ones. Perhaps don't deep-copy any container with metadata
of 'shared', and then ensure that get-location is only ever called on
shared containers.
This still isn't absolutely ironclad. People can now store something
into a channel and then pass it into a routine to share arbitrary data.
But perhaps the goal isn't to be ironclad, just to avoid easy mistakes.
I'd still want an automated check for this, though. Some way to
highlight it as an unsafe pattern.
This completes step 1 in the plan of commit 3992 for making
continuations safe.
|
|
Plan:
1. Fix a hole where addresses are shared between routines when passed in
as arguments to `start-running`.
2. Switch to a new approach to refcount management: instead of updating
refcounts when writing products of instructions by default, increment
refcounts inside instructions by default and decrement refcounts in
caller. More details in future when I actually implement this.
3. Now we shouldn't need a distinction between `new-default-space` and
`local-scope`, and all functions can simply decrement refcounts of
their default-space, consistently handling any refcounts in the space.
At this point if all goes well, continuations should be safe!
This commit is just preparation for step 1.
|