Re: [PATCH] At-exit hook

[Mailer <vine24683579@gmail.com>]

On Thu, 7 Nov 2024 17:10:45 +0100
Maxime Devos <maximedevos@telenet.be> wrote:

> On Thu, 7 Nov 2024 12:23:08 +0100
> >Maxime Devos <maximedevos@telenet.be> wrote:
> >> ‘atexit’ functions are run at ‘exit’. ‘exit’ can be run from signal
> >> handlers (*). Since the hook runs Scheme code, it could do a lot of
> >> AC-unsafe things, resulting in problems.
> >> 
> >> (*) glibc documentation says ‘exit’ is AC-unsafe, but this is
> >> unsupported by POSIX AFAICT. OTOH the same applies to even ‘malloc’,
> >> so likely I’m looking in the wrong places.
> 
> >I think you meant async-signal-safe (AS-safe).  'exit' is not a-s-s and
> >cannot be called in a signal handler (for example it can flush buffers)
> >whereas '_exit' is a-s-s.  Furthermore a registered handler cannot
> >itself safely call 'exit'. […]
> 
> No, I did mean exactly what I wrote. Read the glibc documentation of ‘exit’ and you’ll see. (Likewise for the POSIX page for ‘exit’ – POSIX does not seem to restrict things to _outside_ signal handlers.)
> 
> Also, when two authorative sources (POSIX and glibc in this case) have contrary claims, then simply repeating one of those claim does not help at all, you would need to explain the cause of the discrepancy instead.
> 
> That ‘exit’ flushes buffers does not imply that ‘exit’ is async-unsafe, alternatives include buffer flushing being safe, ‘exit’ having its own implementation of flushing that is AC-safe, or ‘you may call ‘exit’ but only if no files (as in FILE*) are open’.
> 
> Best regards,
> Maxime Devos

You have lost me.  "AC-safe" means async-cancel-safe.  It is irrelevant:

1. Only three POSIX functions are async cancelation safe, namely
pthread_cancel, pthread_setcancelstate, and pthread_setcanceltype.  See
the POSIX standard of 2017 (the only one I have to hand), General
Information, paragraph 2.9.5, Async-Cancel Safety: "No other functions
in this volume of POSIX.1-2017 are required to be async-cancel-safe."
The GNU documentation says the same.

2. No one ever uses asynchronous cancelation anyway, partly because of
that.  Deferred thread cancelation at safe cancelation points is the
only cancelation used in practice.

3. AC-Safety has no bearing on the current discussion in any case.

On Async-Signal Safety, whatever you may say, 'exit' is not on the
POSIX list of async-signal-safe functions.  See the POSIX standard of
2017, General Information, paragraph 2.4.3, Signal Actions: "Any
function not in the above table may be unsafe with respect to
signals."   Do 'man 7 signal-safety', also at
https://man7.org/linux/man-pages/man7/signal-safety.7.html, to see your
implementation's list, which includes '_exit' but not 'exit' (on my
distribution), thus conforming with POSIX.

AS-Safety is probably also irrelevant because as I understand it guile
implements its own deferred signal delivery with asyncs, which may or
not permit guile's exit to be invoked in an async handler (I have never
examined it to find out).  POSIX and glibc documentation is not
authoritative on that.

Chris