On Thu, 7 Nov 2024 17:10:45 +0100

Maxime Devos <maximedevos@telenet.be> wrote:

 

> On Thu, 7 Nov 2024 12:23:08 +0100

> >Maxime Devos <maximedevos@telenet.be> wrote:

> >> ‘atexit’ functions are run at ‘exit’. ‘exit’ can be run from signal

> >> handlers (*). Since the hook runs Scheme code, it could do a lot of

> >> AC-unsafe things, resulting in problems.

> >>

> >> (*) glibc documentation says ‘exit’ is AC-unsafe, but this is

> >> unsupported by POSIX AFAICT. OTOH the same applies to even ‘malloc’,

> >> so likely I’m looking in the wrong places.

>

> >I think you meant async-signal-safe (AS-safe).  'exit' is not a-s-s and

> >cannot be called in a signal handler (for example it can flush buffers)

> >whereas '_exit' is a-s-s.  Furthermore a registered handler cannot

> >itself safely call 'exit'. […]

>

> No, I did mean exactly what I wrote. Read the glibc documentation of ‘exit’ and you’ll see. (Likewise for the POSIX page for ‘exit’ – POSIX does not seem to restrict things to _outside_ signal handlers.)

>

> Also, when two authorative sources (POSIX and glibc in this case) have contrary claims, then simply repeating one of those claim does not help at all, you would need to explain the cause of the discrepancy instead.

>

> That ‘exit’ flushes buffers does not imply that ‘exit’ is async-unsafe, alternatives include buffer flushing being safe, ‘exit’ having its own implementation of flushing that is AC-safe, or ‘you may call ‘exit’ but only if no files (as in FILE*) are open’.

>

> Best regards,

> Maxime Devos

 

>>You have lost me.  "AC-safe" means async-cancel-safe.  It is irrelevant: […]

 

Right, I meant AS-unsafe(=async signal safe). (but not AS-safe).

 

>On Async-Signal Safety, whatever you may say, 'exit' is not on the

POSIX list of async-signal-safe functions.  See the POSIX standard of

2017, General Information, paragraph 2.4.3, Signal Actions: "Any

function not in the above table may be unsafe with respect to

signals."   Do 'man 7 signal-safety', also at

https://man7.org/linux/man-pages/man7/signal-safety.7.html, to see your

implementation's list, which includes '_exit' but not 'exit' (on my

distribution), thus conforming with POSIX.

 

This explains the discrepancy: POSIX confusingly separates the AS-safety information from the other documentation of the function.

 

> AS-Safety is probably also irrelevant because as I understand it guile

implements its own deferred signal delivery with asyncs, which may or

not permit guile's exit to be invoked in an async handler (I have never

examined it to find out).  POSIX and glibc documentation is not

authoritative on that.

 

I wasn’t considering guile’s exit, I was considering C’s exit, and under the assumption that it is AS-safe. Guile’s ‘exit’ procedure is irrelevant here (and IIRC doesn’t actually exist).

 

Guile does not block all signals or install signal handlers for everything. Hence, one of these could have a signal handler that is run as a POSIX signal handler, and (under ‘exit’ is AS-safe assumption) runs ‘exit’. Then the proposed Scheme exit hooks would be invoked, and could get in trouble (no malloc from within a signal handler, etc.).

 

Best regards,

Maxime Devos.