Memory Safe Context Switching
- Programming
- Security
- Developer Tools
- Open Source
The post is a deep dive into why old C control-flow primitives are far more dangerous than they look. setjmp and longjmp do not just jump between functions. They restore register state against whatever stack frame is still there, which means jumping back after the original frame is gone can land on junk memory. The article argues that this is a direct memory-safety problem, not just a portability footgun, and explains how Fil-C constrains these APIs so a jump can only unwind the stack in ways that preserve its capability model. It also covers ucontext and related calls as a route to fibers and user-space context switching, but through the same lens of keeping stack manipulation memory safe.
If your runtime, coroutine, or error-handling design still leans on raw setjmp/longjmp or ucontext, treat them as capability-breaking primitives and put strict invariants around them. If performance matters, plan for a custom context-switch backend rather than assuming libc’s implementation is representative.
- fil-c.org
- Discuss on HN