On Sun, Apr 3, 2011 at 3:17 PM, Werner LEMBERG <w...@gnu.org> wrote: >>> I do. Any user program *must not* produce a segfault IMHO if fed >>> with user data, regardless of its origin. >> >> It it possible to make guile crash? > > Maybe. However, with `crash' I mean that lilypond aborts with a > segfault or something similar. It's quite easy to write an endless > loop or to exhaust the memory, but in the former case lilypond's guile > interpreter just hangs, and you should be able to abort with ^C, and > in the latter case lilypond should abort with a proper (Guile) error > message, and maybe we can add some measures to prevent unplausible > memory allocations.
LilyPond exposes large parts of the internal implementation through the Scheme interface, and that has as a side-effect that there are many ways for users to break lilypond. This is unlikely to lead to arbitrary behavior, as Guile values themselves themselves are type tagged. The worst which can happen is that a value is incorrectly type-cast which leads to either a null dereference or some other type assertion. I don't think it is productive to try to systematically plug all these errors; at best, you'll replace a bunch of segmentation faults with just as unhelpful assertion failures. -- Han-Wen Nienhuys - han...@xs4all.nl - http://www.xs4all.nl/~hanwen _______________________________________________ lilypond-devel mailing list lilypond-devel@gnu.org http://lists.gnu.org/mailman/listinfo/lilypond-devel
