(libc.info.gz) Other Safety Remarks

Info Catalog (libc.info.gz) Conditionally Safe Features (libc.info.gz) POSIX
 
 1.2.2.4 Other Safety Remarks
 ............................
 
 Additional keywords may be attached to functions, indicating features
 that do not make a function unsafe to call, but that may need to be
 taken into account in certain classes of programs:
 
    * 'locale'
 
      Functions annotated with 'locale' as an MT-Safety issue read from
      the locale object without any form of synchronization.  Functions
      annotated with 'locale' called concurrently with locale changes may
      behave in ways that do not correspond to any of the locales active
      during their execution, but an unpredictable mix thereof.
 
      We do not mark these functions as MT- or AS-Unsafe, however,
      because functions that modify the locale object are marked with
      'const:locale' and regarded as unsafe.  Being unsafe, the latter
      are not to be called when multiple threads are running or
      asynchronous signals are enabled, and so the locale can be
      considered effectively constant in these contexts, which makes the
      former safe.
 
    * 'env'
 
      Functions marked with 'env' as an MT-Safety issue access the
      environment with 'getenv' or similar, without any guards to ensure
      safety in the presence of concurrent modifications.
 
      We do not mark these functions as MT- or AS-Unsafe, however,
      because functions that modify the environment are all marked with
      'const:env' and regarded as unsafe.  Being unsafe, the latter are
      not to be called when multiple threads are running or asynchronous
      signals are enabled, and so the environment can be considered
      effectively constant in these contexts, which makes the former
      safe.
 
    * 'hostid'
 
      The function marked with 'hostid' as an MT-Safety issue reads from
      the system-wide data structures that hold the "host ID" of the
      machine.  These data structures cannot generally be modified
      atomically.  Since it is expected that the "host ID" will not
      normally change, the function that reads from it ('gethostid') is
      regarded as safe, whereas the function that modifies it
      ('sethostid') is marked with 'const:hostid', indicating it may
      require special care if it is to be called.  In this specific case,
      the special care amounts to system-wide (not merely intra-process)
      coordination.
 
    * 'sigintr'
 
      Functions marked with 'sigintr' as an MT-Safety issue access the
      '_sigintr' internal data structure without any guards to ensure
      safety in the presence of concurrent modifications.
 
      We do not mark these functions as MT- or AS-Unsafe, however,
      because functions that modify the this data structure are all
      marked with 'const:sigintr' and regarded as unsafe.  Being unsafe,
      the latter are not to be called when multiple threads are running
      or asynchronous signals are enabled, and so the data structure can
      be considered effectively constant in these contexts, which makes
      the former safe.
 
    * 'fd'
 
      Functions annotated with 'fd' as an AC-Safety issue may leak file
      descriptors if asynchronous thread cancellation interrupts their
      execution.
 
      Functions that allocate or deallocate file descriptors will
      generally be marked as such.  Even if they attempted to protect the
      file descriptor allocation and deallocation with cleanup regions,
      allocating a new descriptor and storing its number where the
      cleanup region could release it cannot be performed as a single
      atomic operation.  Similarly, releasing the descriptor and taking
      it out of the data structure normally responsible for releasing it
      cannot be performed atomically.  There will always be a window in
      which the descriptor cannot be released because it was not stored
      in the cleanup handler argument yet, or it was already taken out
      before releasing it.  It cannot be taken out after release: an open
      descriptor could mean either that the descriptor still has to be
      closed, or that it already did so but the descriptor was
      reallocated by another thread or signal handler.
 
      Such leaks could be internally avoided, with some performance
      penalty, by temporarily disabling asynchronous thread cancellation.
      However, since callers of allocation or deallocation functions
      would have to do this themselves, to avoid the same sort of leak in
      their own layer, it makes more sense for the library to assume they
      are taking care of it than to impose a performance penalty that is
      redundant when the problem is solved in upper layers, and
      insufficient when it is not.
 
      This remark by itself does not cause a function to be regarded as
      AC-Unsafe.  However, cumulative effects of such leaks may pose a
      problem for some programs.  If this is the case, suspending
      asynchronous cancellation for the duration of calls to such
      functions is recommended.
 
    * 'mem'
 
      Functions annotated with 'mem' as an AC-Safety issue may leak
      memory if asynchronous thread cancellation interrupts their
      execution.
 
      The problem is similar to that of file descriptors: there is no
      atomic interface to allocate memory and store its address in the
      argument to a cleanup handler, or to release it and remove its
      address from that argument, without at least temporarily disabling
      asynchronous cancellation, which these functions do not do.
 
      This remark does not by itself cause a function to be regarded as
      generally AC-Unsafe.  However, cumulative effects of such leaks may
      be severe enough for some programs that disabling asynchronous
      cancellation for the duration of calls to such functions may be
      required.
 
    * 'cwd'
 
      Functions marked with 'cwd' as an MT-Safety issue may temporarily
      change the current working directory during their execution, which
      may cause relative pathnames to be resolved in unexpected ways in
      other threads or within asynchronous signal or cancellation
      handlers.
 
      This is not enough of a reason to mark so-marked functions as MT-
      or AS-Unsafe, but when this behavior is optional (e.g., 'nftw' with
      'FTW_CHDIR'), avoiding the option may be a good alternative to
      using full pathnames or file descriptor-relative (e.g.  'openat')
      system calls.
 
    * '!posix'
 
      This remark, as an MT-, AS- or AC-Safety note to a function,
      indicates the safety status of the function is known to differ from
      the specified status in the POSIX standard.  For example, POSIX
      does not require a function to be Safe, but our implementation is,
      or vice-versa.
 
      For the time being, the absence of this remark does not imply the
      safety properties we documented are identical to those mandated by
      POSIX for the corresponding functions.
 
    * ':identifier'
 
      Annotations may sometimes be followed by identifiers, intended to
      group several functions that e.g.  access the data structures in an
      unsafe way, as in 'race' and 'const', or to provide more specific
      information, such as naming a signal in a function marked with
      'sig'.  It is envisioned that it may be applied to 'lock' and
      'corrupt' as well in the future.
 
      In most cases, the identifier will name a set of functions, but it
      may name global objects or function arguments, or identifiable
      properties or logical components associated with them, with a
      notation such as e.g.  ':buf(arg)' to denote a buffer associated
      with the argument ARG, or ':tcattr(fd)' to denote the terminal
      attributes of a file descriptor FD.
 
      The most common use for identifiers is to provide logical groups of
      functions and arguments that need to be protected by the same
      synchronization primitive in order to ensure safe operation in a
      given context.
 
    * '/condition'
 
      Some safety annotations may be conditional, in that they only apply
      if a boolean expression involving arguments, global variables or
      even the underlying kernel evaluates evaluates to true.  Such
      conditions as '/hurd' or '/!linux!bsd' indicate the preceding
      marker only applies when the underlying kernel is the HURD, or when
      it is neither Linux nor a BSD kernel, respectively.  '/!ps' and
      '/one_per_line' indicate the preceding marker only applies when
      argument PS is NULL, or global variable ONE_PER_LINE is nonzero.
 
      When all marks that render a function unsafe are adorned with such
      conditions, and none of the named conditions hold, then the
      function can be regarded as safe.
 
Info Catalog (libc.info.gz) Conditionally Safe Features (libc.info.gz) POSIX
automatically generated by info2html