The builtin primitive procedure `error` takes an optional message and
a list of arguments to include into the error message.
These args are formatted with `~S` and appended to the error message, so
that an example call of
`(error "Wrong argument: " 42)`
results in the output
"Wrong argument: 42"
If format strings occur in the message itself, however, they are
escaped. Thus a call like
`(error "Wrong argument: ~a" 42)`
is rendered as
"Wrong argument: ~a 42"
Some callers did not take this behavior into account, leading to
confusing error messages.
Changing the behavior of `error` to be
both backwards-compatible and accept also format strings inside messages
is not straightforward, because it would have to handle escaped `~`
characters as well. Therefore, fix `error` call sites using format
strings to use `format` before calling out to `error`.
The following files are affected:
* module/ice-9/format.scm (format)
* module/ice-9/r6rs-libraries.scm (resolve-r6rs-interface)
* module/oop/goops.scm (make)
* module/srfi/srfi-37.scm (Comment at the beginning of file)
* module/system/base/compile.scm (call-once)
* module/system/repl/command.scm (break, tracepoint)
* module/system/repl/common.scm (repl-default-options)
* module/system/vm/traps.scm (arg-check, trap-at-source-location)
There are a couple of further call sites that were left unchanged,
either because they are using their own `error` procedure:
* module/ice-9/read.scm
* module/ice-9/command-line.scm
or are not referenced from other modules:
* module/system/base/lalr.upstream.scm:
* module/sxml/upstream/assert.scm:
* module/sxml/sxml-match.ss:
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
This satisfies a longstanding complaint that Guile backtraces were being
truncated too much by default (72 columns), often hindering debugging.
* module/system/repl/debug.scm (default-frame-width): New variable.
(print-frames): Change default #:width value depending on whether PORT
is a tty.
* module/rnrs/io/ports.scm (call-with-port): Remove local definition.
* module/system/repl/server.scm (system): Call-with-port is imported
via (ice-9 ports).
* module/system/repl/common.scm (repl-default-options): Add
optimization-level and warning-level REPL options.
(repl-optimization-level, repl-warning-level): New accessors,
defaulting to the default level parameters.
(repl-expand): Take target language as keyword argument rather than
hard-coding tree-il.
(repl-optimize): Take target language as keyword argument. Use REPL
optimization and warning levels. Use generic lowering interface.
Fixes <https://bugs.gnu.org/39196>.
Reported by Matt Wette <matt.wette@gmail.com>.
* module/system/repl/command.scm: Augment #:autoload set of bindings.
These procedures were removed in Guile 2.2 by commit
fc7bd367ab (May 2011).
* libguile/socket.h (scm_inet_aton, scm_inet_ntoa): Remove.
* module/system/repl/server.scm (make-tcp-server-socket): Use
'inet-pton' instead of 'inet-aton'.
* doc/ref/web.texi (HTTP): Likewise in 'declare-header!' example.
* doc/ref/posix.texi (Network Address Conversion): Remove documentation
of 'inet-ntoa' and 'inet-aton'.
Reported by Christopher Allan Webber <cwebber@dustycloud.org>
Co-authored-by: Ludovic Courtès <ludo@gnu.org>
This commit adds protection to Guile's REPL servers against HTTP
inter-protocol exploitation attacks, a scenario whereby an attacker can,
via an HTML page, cause a web browser to send data to TCP servers
listening on a loopback interface or private network. See
<https://en.wikipedia.org/wiki/Inter-protocol_exploitation> and
<https://www.jochentopf.com/hfpa/hfpa.pdf>, The HTML Form Protocol
Attack (2001) by Tochen Topf <jochen@remote.org>.
Here we add a procedure to 'before-read-hook' that looks for a possible
HTTP request-line in the first line of input from the client socket. If
present, the socket is drained and closed, and a loud warning is written
to stderr (POSIX file descriptor 2).
* module/system/repl/server.scm: Add 'maybe-check-for-http-request'
to 'before-read-hook' when this module is loaded.
(with-temporary-port-encoding, with-saved-port-line+column)
(drain-input-and-close, permissive-http-request-line?)
(check-for-http-request, guard-against-http-request)
(maybe-check-for-http-request): New procedures.
(serve-client): Use 'guard-against-http-request'.
* module/system/repl/coop-server.scm (start-repl-client): Use
'guard-against-http-request'.
* doc/ref/guile-invoke.texi (Command-line Options): In the description
of the --listen option, make the security warning more prominent.
Mention the new protection added here. Recommend using UNIX domain
sockets for REPL servers. "a path to" => "the file name of".
* libguile/dynstack.h:
* libguile/dynstack.c (scm_dynstack_find_old_fluid_value): New
function.
* libguile/fluids.c (saved_dynamic_state_ref): New helper.
(scm_fluid_ref): Fix docstring.
(scm_fluid_ref_star): New function allowing access to previous values
for a fluid.
(scm_dynamic_state_ref): New internal function.
* libguile/fluids.h: Add scm_fluid_ref_star and scm_dynamic_state_ref.
* libguile/stacks.c (scm_stack_id): Adapt to %stacks not being a chain.
* libguile/throw.c (catch, throw_without_pre_unwind): Adapt to
%exception-handlers not being a chain.
* module/ice-9/boot-9.scm (catch, dispatch-exception): Instead of having
%exception-handlers be a chain, use fluid-ref* to access the chain
that is in place at the time the exception is thrown. Prevents
unintended undelimited capture of the current exception handler stack
by a delimited "catch".
(%start-stack): Similarly, don't be a chain.
* module/system/repl/debug.scm (frame->stack-vector):
* module/system/repl/error-handling.scm (call-with-error-handling):
* module/ice-9/save-stack.scm (save-stack): Adapt to %stacks not being a
chain.
* test-suite/tests/exceptions.test ("delimited exception handlers"): Add
tests.
* doc/ref/api-control.texi (Fluids and Dynamic States): Add docs.
* doc/ref/guile.texi: Add 2016 to user-visible copyright notice.
* module/ice-9/command-line.scm (version-etc): Bump 'copyright-year' to
2016.
* module/system/repl/common.scm (*version*): Add 2016 to the range of
copyright years.
* module/ice-9/command-line.scm (version-etc): Bump 'copyright-year' to
2015.
* module/system/repl/common.scm (*version*): Add 2015 to the range of
copyright years.
* module/system/repl/debug.scm (print-locals): Adapt to
frame-binding-ref change.
* module/system/vm/frame.scm (<binding>): Add `frame' field.
(available-bindings): Capture the frame.
(binding-ref, binding-set!): New functions, accessing a local variable
value directly from a frame.
(frame-binding-ref, frame-binding-set!): Remove. As these are very
low-level debugging interfaces introduced in 2.0, never documented,
and quite tied to the VM, we feel comfortable making this change.
(frame-call-representation): Adapt to available-bindings change.
(frame-environment, frame-object-binding): Adapt to binding-ref
interface change.
* doc/ref/vm.texi (Stack Layout): Mention that slots can be re-used.
Update disassembly in example.
* doc/ref/api-debug.texi (Frames): Remove documentation for
frame-local-ref, frame-local-set!, and frame-num-locals. Replace with
documentation for frame-bindings, binding accessors, and binding-ref /
binding-set!.
* libguile/frames.h (scm_frame_num_locals, scm_frame_local_ref)
(scm_frame_local_set_x): Remove. As long as we are changing the
interface in a backward-incompatible way, we might as well remove
these.
* libguile/frames.c (scm_frame_num_locals, scm_frame_local_ref)
(scm_frame_local_set_x, scm_init_frames_builtins, scm_init_frames):
Arrange to make frame-local-ref et al private to frames.scm.
* module/system/vm/frame.scm: Load scm_init_frames_builtins extensions.
(frame-instruction-pointer-or-primitive-procedure-name): New public
function.
(frame-binding-ref, frame-binding-set!): Allow binding objects as
vars.
* module/system/repl/debug.scm (print-locals): Pass binding directly to
frame-binding-ref.
* module/statprof.scm (sample-stack-procs, count-call): Use new
frame-instruction-pointer-or-primitive-procedure-name function.
* module/system/repl/debug.scm (frame->module): Remove. Has been broken
for a while, had no callers, and was calling frame-procedure. We can
revive again in a better way, like ice-9 local-eval.
* doc/ref/scheme-using.texi (Debug Commands):
* module/system/repl/command.scm (procedure): Remove REPL command.
Since there is a closure binding and we have improved the ,registers
output, this is no longer necessary and by removing it we remove
another bogus use of frame-procedure.
* module/system/repl/debug.scm (print-frame): Pass #:top-frame? #t for
the top frame.
* module/system/vm/frame.scm (available-bindings): Be permissive and
allow #:top-frame? #f even when the IP is at the start of the
function.
* libguile/frames.c (scm_frame_address, scm_frame_stack_pointer): Return
offsets instead of absolute pointers. This is robust in the presence
of stack relocation.
* module/system/repl/debug.scm (print-registers): Adapt to print sp and
fp as integers.
* module/system/repl/debug.scm (print-locals): Update to work with new
interface.
(frame->module): Update. Still doesn't work due to lack of
`program-module', though.
* module/system/vm/program.scm (make-binding, binding:name)
(binding:definition-offset, program-arity-bindings-for-ip): Remove
these.
* module/system/vm/frame.scm (<binding>): New type.
(available-bindings): Return a list of <binding> instances.
(frame-lookup-binding, frame-binding-set!, frame-binding-ref):
(frame-environment, frame-object-name): Adapt.
* libguile/gc.c (scm_oom_fn, scm_init_gc): Install an out-of-memory
handler that raises an unwind-only out-of-memory exception.
(scm_gc_warn_proc, scm_init_gc): Install a warning proc that tries to
print to the current warning port, if the current warning port is a
file port.
(scm_gc_after_nonlocal_exit): New interface. Should be called after a
nonlocal return to potentially collect memory; otherwise allocations
could try to expand again when they should collect.
* libguile/continuations.c (scm_i_make_continuation):
* libguile/eval.c (eval):
* libguile/throw.c (catch):
* libguile/vm.c (scm_call_n): Call scm_gc_after_nonlocal_exit after
nonlocal returns.
* libguile/throw.c (abort_to_prompt, throw_without_pre_unwind): Rework
to avoid allocating memory.
(scm_report_out_of_memory): New interface.
(scm_init_throw): Pre-allocate the arguments for stack-overflow and
out-of-memory errors.
* module/ice-9/boot-9.scm: Add an out-of-memory exception printer.
* module/system/repl/error-handling.scm (call-with-error-handling): Add
out-of-memory to the report-keys set.
* libguile/gc-malloc.c (scm_realloc): Call scm_report_out_of_memory if
realloc fails.
* libguile/error.h:
* libguile/error.c:
* libguile/deprecated.h:
* libguile/deprecated.c (scm_memory_error): Deprecate.
* test-suite/standalone/Makefile.am:
* test-suite/standalone/test-out-of-memory: New test case.
* module/system/repl/error-handling.scm (call-with-error-handling): Add
#:report-keys kwarg, so that unwind-only exceptions (stack-overflow in
particular) get reported.
* doc/ref/api-debug.texi (Pre-Unwind Debugging): Add documentation for
#:report-keys kwarg of call-with-error-handling.
(Stack Overflow): New subsubsection.
(Debug Options): Remove discussion of stack overflow.
Modified-by: Mark H Weaver <mhw@netris.org>
* module/system/repl/coop-server.scm: New module.
* module/system/repl/repl.scm (start-repl): Extract body to start-repl*.
(start-repl*): New procedure.
(run-repl): Extract body to run-repl*.
(run-repl*): New procedure.
* module/system/repl/server.scm (run-server): Extract body to
run-server*.
(run-server*): New procedure.
* doc/ref/api-evaluation.texi (Cooperative REPL Servers): New node.
* module/Makefile.am (SYSTEM_SOURCES): Add system/repl/coop-server.scm.
* module/system/repl/server.scm: Import (ice-9 match) and (srfi srfi-1).
(*open-sockets*): Add comment. This is now a list of pairs with a
'force-close' procedure in the cdr.
(close-socket!): Add comment noting that it is unsafe to call this
from another thread.
(add-open-socket!): Add 'force-close' argument, and put it in the cdr
of the '*open-sockets*' entry.
(stop-server-and-clients!): Use 'match'. Remove the first element
from *open-sockets* immediately. Call the 'force-close' procedure
instead of 'close-socket!'.
(errs-to-retry): New variable.
(run-server): Add a pipe, used in the 'force-close' procedure to
cleanly shut down the server. Put the server socket into non-blocking
mode. Use 'select' to monitor both the server socket and the pipe.
Don't call 'add-open-socket!' on the client-socket. Close the pipe
and the server socket cleanly when we're asked to shut down.
(serve-client): Call 'add-open-socket!' with a 'force-close' procedure
that cancels the thread. Set the thread cleanup handler to call
'close-socket!', instead of calling it in the main body.
* doc/ref/api-evaluation.texi (REPL Servers): Add a caveat to the manual
entry for 'stop-servers-and-clients!'.
* module/system/repl/server.scm (run-server): Remove case that handled
'interrupt' exceptions specially. It is no longer needed since
e6c8e6047e (REPL Server: Don't establish
a SIGINT handler.)
