Gain control of macro namespace visibility

[khwilliamson]

This p.r. undefines all macros that are visible to XS code but shouldn't be. This stops macro namespace pollution by perl.

It works by changing embed.h to have two modes, controlled by a #ifdef that is set by perl.h. perl.h now #includes embed.h twice. The first time works as it always has. The second sets the #ifdef, and causes embed.h to #undef the macros that shouldn't be visible. This call is just before perl.h returns to its includer, so that these macros have come and gone before the file that #included perl.h is affected by them.

The list of macros is determined by the visibility given by the apidoc lines documenting them, and by painstaking experiments with our test suite. Those experiments, and some manual inspection, have produced three long lists of items beyond what the apidoc lines currently give.

One list is for items that the re extension to Perl requires.

A second list is for items that other Perl extensions require.

The third list is for items that at least one module shipped with perl requires (or that I know something on CPAN requires) even though the items aren't marked as being visible. There are over 700 items on this list. And smoking cpan with this will add others.

The experiments were done automatically, and I have not manually done much manual inspection.

I have wanted this ability to happen for a long time; and now things have come together to enable it.

This allows us to have a clear-cut boundary with CPAN.

It means you can add macros that have internal-only use without having to worry about making them likely not to clash with user names.

It shows precisely what our names are that are visible to CPAN, and we can change some of them to be less likely to clash.

• This set of changes requires a perldelta entry, and I need help writing it.

[jkeenan]

This p.r. undefines all macros that are visible to XS code but shouldn't be. This stops macro namespace pollution by perl.

Can you cite some examples of where "we" (Perl programmers in general, or, at a minimum, CPAN authors) have gotten into trouble with this?

[jkeenan]

CI tests on Windows are failing. One aspect of these failures is that where we are expecting an escaped backslash (\\) in a statement's output, we're not getting even an unescaped slash.

[khwilliamson]

Getting control of our boundaries is a big deal. That's why we have EXPORT in perl code.

In the past, we've run into trouble with people using interfaces that weren't supposed to be public, and then complaining if we changed them. The first big step to controlling that that I can think of is @xenu adding the ability to restrict visibility of non-public functions. I fairly recently extended that to functions that are visible to perl extensions, though I think there are bypasses to that if someone really wants to. This step extends this to macros. Again, a determined programmer can defeat these. But it's harder to do.

But we have willy-nilly created symbols that infringe on the XS writer's name space. Writers have had to work around this at times. There are modules that people can load that try to undo this. This p.r. has us undoing much of that intrusion.
See https://stackoverflow.com/questions/22903542/what-is-namespace-pollution.

A recent example of a minor issue is #23614 (comment)
This p.r. causes that to be a non-issue, for the moment anyway.

We as a project need to have a discussion about what sorts of symbols can intrude. I have always operated under the assumption that we could reserve symbols ending in an underscore for our use. I don't know where I got that idea; probably because others who preceded me had made that assumption. But this needs to be clarified.,

This p.r. brings out into the open for examination just what macros are visible to XS writers.

[tonycoz]

A recent example of a minor issue is #23614 (comment)
This p.r. causes that to be a non-issue, for the moment anyway.

It doesn't.

Setting PERL_DO_UNDEFS makes the perl API essentially unusable.

As a quick example it undefs SvSetSV_and(), which is used by the API SvSetSV() and SvSetMagicSV() macros.

It also undefs many flag check macros and accessors that are API (even if not in embed.fnc) and are accessible as functions, eg CVf_METHOD, most CV flag checks, GvIOn(),

My complaint in the above comment was that the o1_ and type1_ macros are too short and too global, which could be fixed by making OpTYPE_set() an inline function as @Leont suggested, or as I described in that comment. This change nukes from orbit.

[khwilliamson]

This p.r. causes that to be a non-issue, for the moment anyway.

It doesn't.

What I meant is that this p.r. undefines that symbol, so it is not visible to the outside world. And if someone tried to use the macro that needs this symbol, it wouldn't compile. This would alert us to the problem. Whether or not this is a good enough symbol name is outside the scope of this p.r., so the discussion about that should be elsewhere, and yes it does need to be discussed and resolved.

And if this p.r. were to be merged as-is, the API would be unusable. I'm sorry if it came across that that is what I expected to happen. The essence of this p.r., without the individual elements, is to gain control of what we expose to the XS writer's name space. I strongly believe that this is something we should do, and I have wanted to have it done for a long time. Maybe I should have labelled this as a POC.

The code added here looks for symbols that are exposed to the XS namespace that we don't document as existing, and symbols whose names are definitely reserved for perl's use. It undefs the rest unless they are on one of the exception lists. The exception lists could be expanded to include everything it finds, causing nothing to be undefined., Then nothing would break, but new phantom symbols that get created would be caught and have to be resolved.

This is how we've done similar things in the past, diag.t is to keep people from adding undocumented messages to new code, but has an exception list so that it could go into blead without breaking things. That list has been whittled down over time.

And we can look through that list all in one place and see if there are symbols that need to be exposed as a consequence of some other macro using them, but whose names are such that they should be changed to avoid potential conflicts.

And it means that I don't have to be so careful in creating symbols inside headers that are not going to be used outside; as they will get automatically undefined.

[tonycoz]

OpTYPE_set() was moved to op.h and isn't guarded by PERL_CORE. I know @leonerd uses it, (example) but he also defines it if not present. So I think the intent was to make it public, which would require the o1_ and type1_ macros to be public.

There are many other names that seem to me at first glance shouldn't be undefined by default:

• AMGf_* - used by the amagic_call(), try_amagic_bin(), try_amagic_un(), tryAMAGICun_MG() or tryAMAGICbin_MG() API.
• [ap]THX[aox]_? - are for backward compatibility for old XS
• the FEATURE related macros are only defined if you #include feature.h, which isn't done by default.
• the case_*_SBOX32 names should probably by undefined in sbox32_hash.h
• cBINOP*, cCOP, cGVOP*, cLISTOP, cLOOP, cLOGOP, cMETHOD* and many other c[A-Z]* are API I think (usable by custom ops)
• Cv* are all API I think
• CX_* are API, see perl5240delta

(up to "C")