> On Sep 9, 2017, at 7:38 PM, Zachary Turner <ztur...@google.com> wrote: > > Sure, but reading a core file involves handling user input. Obviously that > has to be sanitized and you can't crash on user input. I don't think there's > ever been any disagreement about that. On the other hand, if you just type an > expression in the debugger and expect an answer back, after clang says the > ast is valid, the whole stack should be asserts all the way down, because > everything is validated
Yes, but even that ends up not matching with the facts on the ground, because the debug information for types as used by lldb has to be produced from debug info, and the debug info can be malformed and not infrequently is. So at some point clang is going to ask for something that it assumes must always be available because if it had read the types in from header files it would have asserted at an early stage but when it is fed types from debug info incrementally - which is the only efficient way the debugger can do it - is going to cause something to look wrong at a point where that “shouldn’t be possible.” clang's rigid structure means it can’t cope with this and will crash on something the user didn’t themselves get wrong. According to your classification, we should really consider debug information “user input” as well. But that means we’re wiring “user input” into a pretty deep place in clang and you’d probably have to weaken your strict assert model to handle that. And it makes me wonder if there’s anything the debugger consumes that wouldn’t fall into this category? For instance, we also let plugins provide threads and their stacks, and we try pretty hard not to crash and burn if these plugins get it a little wrong. So process state really needs to be treated as “user data” as well. And since we use SPI’s for most of this info that we are pretty much the only clients of, they can be expected to be flakey as well, again a fact that we should not inflict on users of the debugger if we can help it. The answer of trying to do everything dangerous out of process I think will make a slow and fragile architecture. And while I agree with the llvm.org decision not to use C++ exceptions because they make reasoning about the program more difficult, replacing that with SIGSEGV as the exception mechanism of choice seems really weak. You are not the first person to point out that we could use the crash-protected threads, but I’m remain very unenthusiastic about this approach... Moreover, there are a bunch of problematic areas in lldb, but I don’t think any of them are problematic for the reasons that you are describing here. There are areas of weak memory management in the data formatters & some places where we don’t manage locking right in handling process stops & the reconstruction of program state after that, and those cause the vast majority of the infrequent but annoying crashes we see. I don’t myself believe that putting in this assert everywhere architecture would pay off in reduced crashes to compensate for the brittleness it would introduce. Finally, and most crucially, no failure of any expression evaluation and no malformed type is worth taking down a debug session, and it’s our responsibility working on lldb to make sure it doesn't. If the makes our job a little harder, so be it. This was Jason’s point earlier, but it is worth reiterating because it makes lldb a very different kind of program from all the other programs in the suite collected under the llvm project. If the compiler gets into an inconsistent state compiling a source file, it’s fine for it to just exit. It wasn’t going to do any more useful work anyway. That is definitely NOT true of lldb, and makes reasonable the notion that general solutions that seem appropriate for the other tools are not appropriate for lldb. Jim > On Sat, Sep 9, 2017 at 6:53 PM Jim Ingham <jing...@apple.com > <mailto:jing...@apple.com>> wrote: > I think we are talking at cross purposes. Seems to me you are saying “If we > can assert that the answers to questions I ask must always copacetic, then we > can express that in software, and that will make things so much easier". I’m > saying "my experience of the data debuggers have to deal with is such that > assuming such assertions will lead you to over-react to such errors. Instead > you should write your code so that if somebody gives you bad data you don’t > fall over allowing the people who called you to decide how important the > error was.” Every core file that was written out by OS X for years had a > section that was ill-formed. Asserting when you get an ill-formed object > file might seem a good way to ensure that you don’t have to make guesses that > might lead you astray. But the people who need to load core files on OS X > are rightly unmoved by such arguments if lldb disappears out from under them > when reading in core files. > > Jim > > > >> On Sep 9, 2017, at 1:31 PM, Zachary Turner <ztur...@google.com >> <mailto:ztur...@google.com>> wrote: >> >> >> >> On Sat, Sep 9, 2017 at 12:04 PM Jim Ingham <jing...@apple.com >> <mailto:jing...@apple.com>> wrote: >> >> I disagree here. If you can reasonably unwind from an error you should do >> so even if you can’t figure out how you could have gotten an answer you >> didn’t expect. If an API is returning a pointer to something you should >> assume it might return nullptr unless the API explicitly states otherwise. >> But that's exactly what an assert is. It's an explicit statement by the API >> about what should happen. Which is why by adding them liberally, these >> assumptions can then be propagated all the way up through many layers of the >> code, vastly simplifying the codebase. >> >> if you have >> >> void *foo(int x) { >> // do some stuff >> >> assert(x < 0 || foo != nullptr); >> } >> >> Then you're documenting that if x is greater than 0, the caller doesn't need >> to check the return value for nullptr. Now instead of this: >> >> void *bar(unsigned x) { >> void *ptr = foo(x); >> if (!ptr) { >> // log an error >> return nullptr; >> } >> return ptr; >> } >> >> You just have >> >> void *bar(unsigned x) { >> void *ptr = foo(x); >> assert(x); >> return x; >> } >> >> And now the caller of bar doesn't have to check either. The code has >> greatly reduced complexity due to the butterfly efflect of propagating these >> assumptions up. >> >> This is a simple example but the point is that building assumptions into >> your API is a good thing, because you can enforce them and it vastly >> simplifies the code. >
_______________________________________________ lldb-commits mailing list lldb-commits@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-commits
