httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dean gaudet <d...@arctic.org>
Subject Re: clean_child_exit, just_die and exit
Date Fri, 28 Sep 2001 00:13:42 GMT
On 26 Sep 2001, Jeff Trawick wrote:

> @@ -2785,7 +2791,11 @@
>  static void usr1_handler(int sig)
>  {
>      if (usr1_just_die) {
> -	just_die(sig);
> +        if (alarms_blocked) {
> +            exit_after_unblock = 1;
> +            return;
> +        }
> +        ap_longjmp(die_jmpbuffer, sig);
>      }
>      deferred_die = 1;
>  }

longjmp() isn't safe either...

basically there's nothing in C that you can do safely in a signal handler
except set a global variable.

longjmp() isn't safe for the same reasons atexit() and cleanups aren't
safe in the presence of arbitrary 3rd party code:  the 3rd party code
could be in a state that would require rollback or cleanup before it's
safe to re-enter that 3rd party code.

longjmp() unrolls the stack, but in C there's no destructors or anything
that are called to do the unrolling so the 3rd party code has no idea it
has occured and can't clean up.

atexit() and cleanups can call back into the 3rd party code while its data
structures are in an unsafe state.

when i last played with the 1.3 signal handlers i just chose performance
over correctness in this case, i got tired of having to pay so many
signal() syscalls to make the thing safe.  i was hoping signals would just
go away in 2.0... but i've never helped make that happen.

when it comes right down to it, you have to say fuck it at some point.
either you die gracelessly, or the admin shoots you with a kill -9 at some
point.  if graceless death is going to happen you might as well make it
happen early rather than later.  (you've seen me argue recently that
there's no sense trying to recover from out of memory errors, this is all
part of that same argument.)

in languages with exception mechanisms you can at least do things which
cause properly written 3rd party code to not run into troubles here --
because they have the chance to catch exceptions and unroll/correct their
state.  but i still doubt anyone would get this right.

-dean


Mime
View raw message