diff --git a/src/doc/new-doc/extensions/index.txi b/src/doc/new-doc/extensions/index.txi index a31ff429f..5391048b0 100644 --- a/src/doc/new-doc/extensions/index.txi +++ b/src/doc/new-doc/extensions/index.txi @@ -38,8 +38,8 @@ @c @node Green Threads @c @section Green Threads -@node Signals and Interrupts -@section Signals and Interrupts +@c Signals and Interrupts +@include extensions/signals.txi @c Memory Management @include extensions/memory.txi diff --git a/src/doc/new-doc/extensions/signals.txi b/src/doc/new-doc/extensions/signals.txi new file mode 100644 index 000000000..9579fd440 --- /dev/null +++ b/src/doc/new-doc/extensions/signals.txi @@ -0,0 +1,134 @@ +@node Signals and Interrupts +@section Signals and Interrupts + +@node Signals and Interrupts - Problems associated to signals +@subsection Problems associated to signals +POSIX contemplates the notion of "signals", which are events that cause a process or a thread to be interrupted. Windows uses the term "exception", which includes also a more general kind of errors. + +In both cases the consequence is that a thread or process may be interrupted at any time, either by causes which are intrinsic to them (synchronous signals), such as floating point exceptions, or extrinsic (asynchronous signals), such as the process being aborted by the user. + +Of course, those interruptions are not always welcome. When the interrupt is delivered and a handler is invoked, the thread or even the whole program may be in an inconsistent state. For instance the thread may have acquired a lock, or it may be in the process of filling the fields of a structure. Furthermore, sometimes the signal that a process receives may not even be related to it, as in the case when a user presses @kbd{Cltr-C} and a @code{SIGINT} signal is delivered to an arbitrary thread, or when the process receives the Windows exception @code{CTRL_CLOSE_EVENT} denoting that the terminal window is being closed. + +Understanding this, POSIX restricts severely what functions can be called from a signal handler, thereby limiting its usefulness. However, Common Lisp users expect to be able to handle floating point exceptions and to gracefully manage user interrupts, program exits, etc. In an attempt to solve this seemingly impossible problem, ECL has taken a pragmatic approach that works, it is rather safe, but involves some work on the ECL maintainers and also on users that want to embed ECL as a library. + +@node Signals and Interrupts - Kinds of signals +@subsection Kinds of signals + +@node Signals and Interrupts - Synchronous signals +@subsubsection Synchronous signals +The name derives from POSIX and it denotes interrupts that occur due to the code that a particular thread executes. They are largely equivalent to C++ and Java exceptions, and in Windows they are called "unchecked exceptions." + +Common Lisp programs may generate mostly three kinds of synchronous signals: + +@itemize +@item Floating point exceptions, that result from overflows in computations, division by zero, and so on. +@item Access violations, such as dereferencing NULL pointers, writing into regions of memory that are protected, etc. +@item Process interrupts. +@end itemize + +The first family of signals are generated by the floating point processing hardware in the computer, and they typically happen when code is compiled with low security settings, performing mathematical operations without checks. + +The second family of signals may seem rare, but unfortunately they still happen quite often. One scenario is wrong code that handles memory directly via FFI. Another one is undetected stack overflows, which typically result in access to protected memory regions. Finally, a very common cause of these kind of exceptions is invoking a function that has been compiled with very low security settings with arguments that are not of the expected type -- for instance, passing a float when a structure is expected. + +The third family is related to the multiprocessing capabilities in Common Lisp systems and more precisely to the mp:interrupt-process function which is used to kill, interrupt and inspect arbitrary threads. In POSIX systems ECL informs a given thread about the need to interrupt its execution by sending a particular signal from the set which is available to the user. + +Note that in neither of these cases we should let the signal pass unnoticed. Access violations and floating point exceptions may propagate through the program causing more harm than expected, and without process interrupts we will not be able to stop and cancel different threads. The only question that remains, though, is whether such signals can be handled by the thread in which they were generated and how. + +@node Signals and Interrupts - Asynchronous signals +@subsubsection Asynchronous signals +In addition to the set of synchronous signals or "exceptions", we have a set of signals that denote "events", things that happen while the program is being executed, and "requests". Some typical examples are: + +@itemize +@item Request for program termination (@code{SIGKILL}, @code{SIGTERM}). +@item Indication that a child process has finished. +@item Request for program interruption (@code{SIGINT}), typically as a consecuence of pressing a key combination, @kbd{Ctrl-C}. +@end itemize + +The important difference with synchronous signals is that we have no thread that causes the interrupt and thus there is no preferred way of handling them. Moreover, the operating system will typically dispatch these signals to an arbitrary thread, unless we set up mechanisms to prevent it. This can have nasty consequences if the incoming signal interrupt a system call, or leaves the interrupted thread in an inconsistent state. + +@node Signals and Interrupts - Signals and interrupts in ECL +@subsection Signals and interrupts in ECL +The signal handling facilities in ECL are constrained by two needs. First of all, we can not ignore the synchronous signals mentioned in @ref{Signals and Interrupts - Synchronous signals}. Second, all other signals should cause the least harm to the running threads. Third, when a signal is handled synchronously using a signal handler, the handler should do almost nothing unless we are completely sure that we are in an interruptible region, that is outside system calls, in code that ECL knows and controls. + +The way in which this is solved is based on the existence of both synchronous and asynchronous signal handling code, as explained in the following two sections. + +@node Signals and Interrupts - Handling of asynchronous signals +@subsubsection Handling of asynchronous signals +In systems in which this is possible, ECL creates a signal handling thread to detect and process asynchronous signals (@xref{Signals and Interrupts - Asynchronous signals}). This thread is a trivial one and does not process the signals itself: it communicates with, or launches new signal handling threads to act accordingly to the denoted events. + +The use of a separate thread has some nice consequences. The first one is that those signals will not interrupt any sensitive code. The second one is that the signal handling thread will be able to execute arbitrary lisp or C code, since it is not being executed in a sensitive context. Most important, this style of signal handling is the recommended one by the POSIX standards, and it is the one that Windows uses. + +The installation of the signal handling thread is dictated by a boot time option, @code{ECL_OPT_SIGNAL_HANDLING_THREAD}, and it will only be possible in systems that support either POSIX or Windows threads. + +Systems which embed ECL as an extension language may wish to deactivate the signal handling thread using the previously mentioned option. If this is the case, then they should take appropriate measures to avoid interrupting the code in ECL when such signals are delivered. + +Systems which embed ECL and do not mind having a separate signal handling thread can control the set of asynchronous signals which is handled by this thread. This is done again using the appropriate boot options such as @code{ECL_OPT_TRAP_SIGINT}, @code{ECL_OPT_TRAP_SIGTERM}, etc. Note that in order to detect and handle those signals, ECL must block them from delivery to any other thread. This means changing the @code{sigprocmask()} in POSIX systems or setting up a custom @code{SetConsoleCtrlHandler()} in Windows. + +@node Signals and Interrupts - Handling of synchronous signals +@subsubsection Handling of synchronous signals +We have already mentioned that certain synchronous signals and exceptions can not be ignored and yet the corresponding signal handlers are not able to execute arbitrary code. To solve this seemingly impossible contradiction, ECL uses a simple solution, which is to mark the sections of code which are interruptible, and in which it is safe for the handler to run arbitrary code. All other regions would be considered "unsafe" and would be protected from signals and exceptions. + +In principle this "marking" of safe areas can be done using POSIX functions such as @code{pthread_sigmask()} or @code{sigprocmask()}. However in practice this is slow, as it involves at least a function call, resolving thread-local variables, etc, etc, and it will not work in Windows. + +Furthermore, sometimes we want signals to be detected but not to be immediately processed. For instance, when reading from the terminal we want to be able to interrupt the process, but we can not execute the code from the handler, since the C function which is used to read from the terminal, @code{read()}, may have left the input stream in an inconsistent, or even locked state. + +The approach in ECL is more lightweight: we install our own signal handler and use a thread-local variable as a flag that determines whether the thread is executing interrupt safe code or not. More precisely, if the variable @code{ecl_process_env()->disable_interrupts} is set, signals and exceptions will be postponed and then the information about the signal is queued. Otherwise the appropriate code is executed: for instance invoking the debugger, jumping to a condition handler, quitting, etc. + +Systems that embed ECL may wish to deactivate completely these signal handlers. This is done using the boot options, @code{ECL_OPT_TRAP_SIGFPE}, @code{ECL_OPT_TRAP_SIGSEGV}, @code{ECL_OPT_TRAP_SIGBUS}, @code{ECL_OPT_TRAP_INTERRUPT_SIGNAL}. + +Systems that embed ECL and want to allow handling of synchronous signals should take care to also trap the associated lisp conditions that may arise. This is automatically taken care of by functions such as @code{si_safe_eval()}, and in all other cases it can be solved by enclosing the unsafe code in a @code{CL_CATCH_ALL_BEGIN} frame. + + +@node Signals and Interrupts - Considerations when embedding ECL +@subsection Considerations when embedding ECL +There are several approaches when handling signals and interrupts in a program that uses ECL. One is to install your own signal handlers. This is perfectly fine, but you should respect the same restrictions as ECL. Namely, you may not execute arbitrary code from those signal handlers, and in particular it will not always be safe to execute Common Lisp code from there. + +If you want to use your own signal handlers then you should set the appropriate options before invoking @code{cl_boot()}, as explained in @code{ecl_set_option}. Note that in this case ECL will not always be able to detect floating point exceptions, specially if your compiler does not support C99 and the corresponding floating point flags. + +The other option is to let ECL handle signals itself. This would be safer when the dominant part of the code is Common Lisp, but you may need to protect the code that embeds ECL from being interrupted using either the macros @code{ecl_disable_interrupts} and @code{ecl_enable_interrupts} or the POSIX functions @code{pthread_sigmaks}and @code{sigprocmask}. + + +@node Signals and Interrupts - Signals Reference +@subsection Signals Reference + +@deffn Macro ext:with-interrupts &body body +Execute code with interrupts optionally enabled. +@subsubheading Description +Executes the given body with all interrupts enabled. Since interrupts are normally enabled, this macro only makes sense if there is an outer @code{ext:without-interrupts} with a corresponding @code{ext:allow-with-interrupts}: interrupts are not enabled if any outer @code{mp:without-interrupts} is not accompanied by @code{mp:allow-with-interrupts}. +@end deffn + + +@deffn Macro ext:without-interrupts &body body +Execute code without being interrupted. +@subsubheading Description +Executes the given body with all interrupts disabled. This macro is compatible with the one in SBCL and as such it also defines three other local macros @code{ext:allow-with-interrupts}, @code{ext:with-local-interrupts} and @code{ext:with-restored-interrupts}. + +Deferrable interrupts include most blockable POSIX signals, and @code{mp:interrupt-process}. Does not interfere with garbage collection, and does not inhibit scheduling of other threads. + +This macro binds @code{allow-with-interrupts}, @code{with-local-interrupts} and @code{with-restored-interrupts} as a local macros. + +@code{ext:with-restored-interrupts} executes the body with interrupts enabled if and only if the @code{ext:without-interrupts} was in an environment in which interrupts were allowed. + +@code{ext:allow-with-interrupts} allows the ext:with-interrupts to take effect during the dynamic scope of its body, unless there is an outer ext:without-interrupts without a corresponding @code{ext:allow-with-interrupts}. + +@code{ext:with-local-interrupts} executes its body with interrupts enabled provided that for there is an @code{ext:allow-with-interrupts} for every @code{ext:without-interrupts} surrounding the current one. @code{ext:with-local-interrupts} is equivalent to: + +@verbatim + (allow-with-interrupts (with-interrupts ...)) +@end verbatim + +Care must be taken not to let either ext:allow-with-interrupts or ext:with-local-interrupts appear in a function that escapes from inside the ext:without-interrupts in: + +@verbatim + (without-interrupts + ;; The body of the lambda would be executed with WITH-INTERRUPTS allowed + ;; regardless of the interrupt policy in effect when it is called. + (lambda () (allow-with-interrupts ...))) + + (without-interrupts + ;; The body of the lambda would be executed with interrupts enabled + ;; regardless of the interrupt policy in effect when it is called. + (lambda () (with-local-interrupts ...))) +@end verbatim + +@end deffn