@node Introduction, Error Reporting, Top, Top @chapter Introduction @c %MENU% Purpose of the GNU C Library The C language provides no built-in facilities for performing such common operations as input/output, memory management, string manipulation, and the like. Instead, these facilities are defined in a standard @dfn{library}, which you compile and link with your programs. @cindex library @Theglibc{}, described in this document, defines all of the library functions that are specified by the @w{ISO C} standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to @gnusystems{}. The purpose of this manual is to tell you how to use the facilities of @theglibc{}. We have mentioned which features belong to which standards to help you identify things that are potentially non-portable to other systems. But the emphasis in this manual is not on strict portability. @menu * Getting Started:: What this manual is for and how to use it. * Standards and Portability:: Standards and sources upon which the GNU C library is based. * Using the Library:: Some practical uses for the library. * Roadmap to the Manual:: Overview of the remaining chapters in this manual. @end menu @node Getting Started, Standards and Portability, , Introduction @section Getting Started This manual is written with the assumption that you are at least somewhat familiar with the C programming language and basic programming concepts. Specifically, familiarity with ISO standard C (@pxref{ISO C}), rather than ``traditional'' pre-ISO C dialects, is assumed. @Theglibc{} includes several @dfn{header files}, each of which provides definitions and declarations for a group of related facilities; this information is used by the C compiler when processing your program. For example, the header file @file{stdio.h} declares facilities for performing input and output, and the header file @file{string.h} declares string processing utilities. The organization of this manual generally follows the same division as the header files. If you are reading this manual for the first time, you should read all of the introductory material and skim the remaining chapters. There are a @emph{lot} of functions in @theglibc{} and it's not realistic to expect that you will be able to remember exactly @emph{how} to use each and every one of them. It's more important to become generally familiar with the kinds of facilities that the library provides, so that when you are writing your programs you can recognize @emph{when} to make use of library functions, and @emph{where} in this manual you can find more specific information about them. @node Standards and Portability, Using the Library, Getting Started, Introduction @section Standards and Portability @cindex standards This section discusses the various standards and other sources that @theglibc{} is based upon. These sources include the @w{ISO C} and POSIX standards, and the System V and Berkeley Unix implementations. The primary focus of this manual is to tell you how to make effective use of the @glibcadj{} facilities. But if you are concerned about making your programs compatible with these standards, or portable to operating systems other than GNU, this can affect how you use the library. This section gives you an overview of these standards, so that you will know what they are when they are mentioned in other parts of the manual. @xref{Library Summary}, for an alphabetical list of the functions and other symbols provided by the library. This list also states which standards each function or symbol comes from. @menu * ISO C:: The international standard for the C programming language. * POSIX:: The ISO/IEC 9945 (aka IEEE 1003) standards for operating systems. * Berkeley Unix:: BSD and SunOS. * SVID:: The System V Interface Description. * XPG:: The X/Open Portability Guide. @end menu @node ISO C, POSIX, , Standards and Portability @subsection ISO C @cindex ISO C @Theglibc{} is compatible with the C standard adopted by the American National Standards Institute (ANSI): @cite{American National Standard X3.159-1989---``ANSI C''} and later by the International Standardization Organization (ISO): @cite{ISO/IEC 9899:1990, ``Programming languages---C''}. We here refer to the standard as @w{ISO C} since this is the more general standard in respect of ratification. The header files and library facilities that make up @theglibc{} are a superset of those specified by the @w{ISO C} standard.@refill @pindex gcc If you are concerned about strict adherence to the @w{ISO C} standard, you should use the @samp{-ansi} option when you compile your programs with the GNU C compiler. This tells the compiler to define @emph{only} ISO standard features from the library header files, unless you explicitly ask for additional features. @xref{Feature Test Macros}, for information on how to do this. Being able to restrict the library to include only @w{ISO C} features is important because @w{ISO C} puts limitations on what names can be defined by the library implementation, and the GNU extensions don't fit these limitations. @xref{Reserved Names}, for more information about these restrictions. This manual does not attempt to give you complete details on the differences between @w{ISO C} and older dialects. It gives advice on how to write programs to work portably under multiple C dialects, but does not aim for completeness. @node POSIX, Berkeley Unix, ISO C, Standards and Portability @subsection POSIX (The Portable Operating System Interface) @cindex POSIX @cindex POSIX.1 @cindex IEEE Std 1003.1 @cindex ISO/IEC 9945-1 @cindex POSIX.2 @cindex IEEE Std 1003.2 @cindex ISO/IEC 9945-2 @Theglibc{} is also compatible with the ISO @dfn{POSIX} family of standards, known more formally as the @dfn{Portable Operating System Interface for Computer Environments} (ISO/IEC 9945). They were also published as ANSI/IEEE Std 1003. POSIX is derived mostly from various versions of the Unix operating system. The library facilities specified by the POSIX standards are a superset of those required by @w{ISO C}; POSIX specifies additional features for @w{ISO C} functions, as well as specifying new additional functions. In general, the additional requirements and functionality defined by the POSIX standards are aimed at providing lower-level support for a particular kind of operating system environment, rather than general programming language support which can run in many diverse operating system environments.@refill @Theglibc{} implements all of the functions specified in @cite{ISO/IEC 9945-1:1996, the POSIX System Application Program Interface}, commonly referred to as POSIX.1. The primary extensions to the @w{ISO C} facilities specified by this standard include file system interface primitives (@pxref{File System Interface}), device-specific terminal control functions (@pxref{Low-Level Terminal Interface}), and process control functions (@pxref{Processes}). Some facilities from @cite{ISO/IEC 9945-2:1993, the POSIX Shell and Utilities standard} (POSIX.2) are also implemented in @theglibc{}. These include utilities for dealing with regular expressions and other pattern matching facilities (@pxref{Pattern Matching}). @menu * POSIX Safety Concepts:: Safety concepts from POSIX. * Unsafe Features:: Features that make functions unsafe. * Conditionally Safe Features:: Features that make functions unsafe in the absence of workarounds. * Other Safety Remarks:: Additional safety features and remarks. @end menu @comment Roland sez: @comment The GNU C library as it stands conforms to 1003.2 draft 11, which @comment specifies: @comment @comment Several new macros in . @comment popen, pclose @comment (which is not yet fully implemented--wait on this) @comment fnmatch @comment getopt @comment @comment (not yet implemented) @comment confstr @node POSIX Safety Concepts, Unsafe Features, , POSIX @subsubsection POSIX Safety Concepts @cindex POSIX Safety Concepts This manual documents various safety properties of @glibcadj{} functions, in lines that follow their prototypes and look like: @sampsafety{@prelim{}@mtsafe{}@assafe{}@acsafe{}} The properties are assessed according to the criteria set forth in the POSIX standard for such safety contexts as Thread-, Async-Signal- and Async-Cancel- -Safety. Intuitive definitions of these properties, attempting to capture the meaning of the standard definitions, follow. @itemize @bullet @item @cindex MT-Safe @cindex Thread-Safe @code{MT-Safe} or Thread-Safe functions are safe to call in the presence of other threads. MT, in MT-Safe, stands for Multi Thread. Being MT-Safe does not imply a function is atomic, nor that it uses any of the memory synchronization mechanisms POSIX exposes to users. It is even possible that calling MT-Safe functions in sequence does not yield an MT-Safe combination. For example, having a thread call two MT-Safe functions one right after the other does not guarantee behavior equivalent to atomic execution of a combination of both functions, since concurrent calls in other threads may interfere in a destructive way. Whole-program optimizations that could inline functions across library interfaces may expose unsafe reordering, and so performing inlining across the @glibcadj{} interface is not recommended. The documented MT-Safety status is not guaranteed under whole-program optimization. However, functions defined in user-visible headers are designed to be safe for inlining. @item @cindex AS-Safe @cindex Async-Signal-Safe @code{AS-Safe} or Async-Signal-Safe functions are safe to call from asynchronous signal handlers. AS, in AS-Safe, stands for Asynchronous Signal. Many functions that are AS-Safe may set @code{errno}, or modify the floating-point environment, because their doing so does not make them unsuitable for use in signal handlers. However, programs could misbehave should asynchronous signal handlers modify this thread-local state, and the signal handling machinery cannot be counted on to preserve it. Therefore, signal handlers that call functions that may set @code{errno} or modify the floating-point environment @emph{must} save their original values, and restore them before returning. @item @cindex AC-Safe @cindex Async-Cancel-Safe @code{AC-Safe} or Async-Cancel-Safe functions are safe to call when asynchronous cancellation is enabled. AC in AC-Safe stands for Asynchronous Cancellation. The POSIX standard defines only three functions to be AC-Safe, namely @code{pthread_cancel}, @code{pthread_setcancelstate}, and @code{pthread_setcanceltype}. At present @theglibc{} provides no guarantees beyond these three functions, but does document which functions are presently AC-Safe. This documentation is provided for use by @theglibc{} developers. Just like signal handlers, cancellation cleanup routines must configure the floating point environment they require. The routines cannot assume a floating point environment, particularly when asynchronous cancellation is enabled. If the configuration of the floating point environment cannot be performed atomically then it is also possible that the environment encountered is internally inconsistent. @item @cindex MT-Unsafe @cindex Thread-Unsafe @cindex AS-Unsafe @cindex Async-Signal-Unsafe @cindex AC-Unsafe @cindex Async-Cancel-Unsafe @code{MT-Unsafe}, @code{AS-Unsafe}, @code{AC-Unsafe} functions are not safe to call within the safety contexts described above. Calling them within such contexts invokes undefined behavior. Functions not explicitly documented as safe in a safety context should be regarded as Unsafe. @item @cindex Preliminary @code{Preliminary} safety properties are documented, indicating these properties may @emph{not} be counted on in future releases of @theglibc{}. Such preliminary properties are the result of an assessment of the properties of our current implementation, rather than of what is mandated and permitted by current and future standards. Although we strive to abide by the standards, in some cases our implementation is safe even when the standard does not demand safety, and in other cases our implementation does not meet the standard safety requirements. The latter are most likely bugs; the former, when marked as @code{Preliminary}, should not be counted on: future standards may require changes that are not compatible with the additional safety properties afforded by the current implementation. Furthermore, the POSIX standard does not offer a detailed definition of safety. We assume that, by ``safe to call'', POSIX means that, as long as the program does not invoke undefined behavior, the ``safe to call'' function behaves as specified, and does not cause other functions to deviate from their specified behavior. We have chosen to use its loose definitions of safety, not because they are the best definitions to use, but because choosing them harmonizes this manual with POSIX. Please keep in mind that these are preliminary definitions and annotations, and certain aspects of the definitions are still under discussion and might be subject to clarification or change. Over time, we envision evolving the preliminary safety notes into stable commitments, as stable as those of our interfaces. As we do, we will remove the @code{Preliminary} keyword from safety notes. As long as the keyword remains, however, they are not to be regarded as a promise of future behavior. @end itemize Other keywords that appear in safety notes are defined in subsequent sections. @node Unsafe Features, Conditionally Safe Features, POSIX Safety Concepts, POSIX @subsubsection Unsafe Features @cindex Unsafe Features Functions that are unsafe to call in certain contexts are annotated with keywords that document their features that make them unsafe to call. AS-Unsafe features in this section indicate the functions are never safe to call when asynchronous signals are enabled. AC-Unsafe features indicate they are never safe to call when asynchronous cancellation is enabled. There are no MT-Unsafe marks in this section. @itemize @bullet @item @code{lock} @cindex lock Functions marked with @code{lock} as an AS-Unsafe feature may be interrupted by a signal while holding a non-recursive lock. If the signal handler calls another such function that takes the same lock, the result is a deadlock. Functions annotated with @code{lock} as an AC-Unsafe feature may, if cancelled asynchronously, fail to release a lock that would have been released if their execution had not been interrupted by asynchronous thread cancellation. Once a lock is left taken, attempts to take that lock will block indefinitely. @item @code{corrupt} @cindex corrupt Functions marked with @code{corrupt} as an AS-Unsafe feature may corrupt data structures and misbehave when they interrupt, or are interrupted by, another such function. Unlike functions marked with @code{lock}, these take recursive locks to avoid MT-Safety problems, but this is not enough to stop a signal handler from observing a partially-updated data structure. Further corruption may arise from the interrupted function's failure to notice updates made by signal handlers. Functions marked with @code{corrupt} as an AC-Unsafe feature may leave data structures in a corrupt, partially updated state. Subsequent uses of the data structure may misbehave. @c A special case, probably not worth documenting separately, involves @c reallocing, or even freeing pointers. Any case involving free could @c be easily turned into an ac-safe leak by resetting the pointer before @c releasing it; I don't think we have any case that calls for this sort @c of fixing. Fixing the realloc cases would require a new interface: @c instead of @code{ptr=realloc(ptr,size)} we'd have to introduce @c @code{acsafe_realloc(&ptr,size)} that would modify ptr before @c releasing the old memory. The ac-unsafe realloc could be implemented @c in terms of an internal interface with this semantics (say @c __acsafe_realloc), but since realloc can be overridden, the function @c we call to implement realloc should not be this internal interface, @c but another internal interface that calls __acsafe_realloc if realloc @c was not overridden, and calls the overridden realloc with async @c cancel disabled. --lxoliva @item @code{heap} @cindex heap Functions marked with @code{heap} may call heap memory management functions from the @code{malloc}/@code{free} family of functions and are only as safe as those functions. This note is thus equivalent to: @sampsafety{@asunsafe{@asulock{}}@acunsafe{@aculock{} @acsfd{} @acsmem{}}} @c Check for cases that should have used plugin instead of or in @c addition to this. Then, after rechecking gettext, adjust i18n if @c needed. @item @code{dlopen} @cindex dlopen Functions marked with @code{dlopen} use the dynamic loader to load shared libraries into the current execution image. This involves opening files, mapping them into memory, allocating additional memory, resolving symbols, applying relocations and more, all of this while holding internal dynamic loader locks. The locks are enough for these functions to be AS- and AC-Unsafe, but other issues may arise. At present this is a placeholder for all potential safety issues raised by @code{dlopen}. @c dlopen runs init and fini sections of the module; does this mean @c dlopen always implies plugin? @item @code{plugin} @cindex plugin Functions annotated with @code{plugin} may run code from plugins that may be external to @theglibc{}. Such plugin functions are assumed to be MT-Safe, AS-Unsafe and AC-Unsafe. Examples of such plugins are stack @cindex NSS unwinding libraries, name service switch (NSS) and character set @cindex iconv conversion (iconv) back-ends. Although the plugins mentioned as examples are all brought in by means of dlopen, the @code{plugin} keyword does not imply any direct involvement of the dynamic loader or the @code{libdl} interfaces, those are covered by @code{dlopen}. For example, if one function loads a module and finds the addresses of some of its functions, while another just calls those already-resolved functions, the former will be marked with @code{dlopen}, whereas the latter will get the @code{plugin}. When a single function takes all of these actions, then it gets both marks. @item @code{i18n} @cindex i18n Functions marked with @code{i18n} may call internationalization functions of the @code{gettext} family and will be only as safe as those functions. This note is thus equivalent to: @sampsafety{@mtsafe{@mtsenv{}}@asunsafe{@asucorrupt{} @ascuheap{} @ascudlopen{}}@acunsafe{@acucorrupt{}}} @item @code{timer} @cindex timer Functions marked with @code{timer} use the @code{alarm} function or similar to set a time-out for a system call or a long-running operation. In a multi-threaded program, there is a risk that the time-out signal will be delivered to a different thread, thus failing to interrupt the intended thread. Besides being MT-Unsafe, such functions are always AS-Unsafe, because calling them in signal handlers may interfere with timers set in the interrupted code, and AC-Unsafe, because there is no safe way to guarantee an earlier timer will be reset in case of asynchronous cancellation. @end itemize @node Conditionally Safe Features, Other Safety Remarks, Unsafe Features, POSIX @subsubsection Conditionally Safe Features @cindex Conditionally Safe Features For some features that make functions unsafe to call in certain contexts, there are known ways to avoid the safety problem other than refraining from calling the function altogether. The keywords that follow refer to such features, and each of their definitions indicate how the whole program needs to be constrained in order to remove the safety problem indicated by the keyword. Only when all the reasons that make a function unsafe are observed and addressed, by applying the documented constraints, does the function become safe to call in a context. @itemize @bullet @item @code{init} @cindex init Functions marked with @code{init} as an MT-Unsafe feature perform MT-Unsafe initialization when they are first called. Calling such a function at least once in single-threaded mode removes this specific cause for the function to be regarded as MT-Unsafe. If no other cause for that remains, the function can then be safely called after other threads are started. Functions marked with @code{init} as an AS- or AC-Unsafe feature use the internal @code{libc_once} machinery or similar to initialize internal data structures. If a signal handler interrupts such an initializer, and calls any function that also performs @code{libc_once} initialization, it will deadlock if the thread library has been loaded. Furthermore, if an initializer is partially complete before it is canceled or interrupted by a signal whose handler requires the same initialization, some or all of the initialization may be performed more than once, leaking resources or even resulting in corrupt internal data. Applications that need to call functions marked with @code{init} as an AS- or AC-Unsafe feature should ensure the initialization is performed before configuring signal handlers or enabling cancellation, so that the AS- and AC-Safety issues related with @code{libc_once} do not arise. @c We may have to extend the annotations to cover conditions in which @c initialization may or may not occur, since an initial call in a safe @c context is no use if the initialization doesn't take place at that @c time: it doesn't remove the risk for later calls. @item @code{race} @cindex race Functions annotated with @code{race} as an MT-Safety issue operate on objects in ways that may cause data races or similar forms of destructive interference out of concurrent execution. In some cases, the objects are passed to the functions by users; in others, they are used by the functions to return values to users; in others, they are not even exposed to users. We consider access to objects passed as (indirect) arguments to functions to be data race free. The assurance of data race free objects is the caller's responsibility. We will not mark a function as MT-Unsafe or AS-Unsafe if it misbehaves when users fail to take the measures required by POSIX to avoid data races when dealing with such objects. As a general rule, if a function is documented as reading from an object passed (by reference) to it, or modifying it, users ought to use memory synchronization primitives to avoid data races just as they would should they perform the accesses themselves rather than by calling the library function. @code{FILE} streams are the exception to the general rule, in that POSIX mandates the library to guard against data races in many functions that manipulate objects of this specific opaque type. We regard this as a convenience provided to users, rather than as a general requirement whose expectations should extend to other types. In order to remind users that guarding certain arguments is their responsibility, we will annotate functions that take objects of certain types as arguments. We draw the line for objects passed by users as follows: objects whose types are exposed to users, and that users are expected to access directly, such as memory buffers, strings, and various user-visible @code{struct} types, do @emph{not} give reason for functions to be annotated with @code{race}. It would be noisy and redundant with the general requirement, and not many would be surprised by the library's lack of internal guards when accessing objects that can be accessed directly by users. As for objects that are opaque or opaque-like, in that they are to be manipulated only by passing them to library functions (e.g., @code{FILE}, @code{DIR}, @code{obstack}, @code{iconv_t}), there might be additional expectations as to internal coordination of access by the library. We will annotate, with @code{race} followed by a colon and the argument name, functions that take such objects but that do not take care of synchronizing access to them by default. For example, @code{FILE} stream @code{unlocked} functions will be annotated, but those that perform implicit locking on @code{FILE} streams by default will not, even though the implicit locking may be disabled on a per-stream basis. In either case, we will not regard as MT-Unsafe functions that may access user-supplied objects in unsafe ways should users fail to ensure the accesses are well defined. The notion prevails that users are expected to safeguard against data races any user-supplied objects that the library accesses on their behalf. @c The above describes @mtsrace; @mtasurace is described below. This user responsibility does not apply, however, to objects controlled by the library itself, such as internal objects and static buffers used to return values from certain calls. When the library doesn't guard them against concurrent uses, these cases are regarded as MT-Unsafe and AS-Unsafe (although the @code{race} mark under AS-Unsafe will be omitted as redundant with the one under MT-Unsafe). As in the case of user-exposed objects, the mark may be followed by a colon and an identifier. The identifier groups all functions that operate on a certain unguarded object; users may avoid the MT-Safety issues related with unguarded concurrent access to such internal objects by creating a non-recursive mutex related with the identifier, and always holding the mutex when calling any function marked as racy on that identifier, as they would have to should the identifier be an object under user control. The non-recursive mutex avoids the MT-Safety issue, but it trades one AS-Safety issue for another, so use in asynchronous signals remains undefined. When the identifier relates to a static buffer used to hold return values, the mutex must be held for as long as the buffer remains in use by the caller. Many functions that return pointers to static buffers offer reentrant variants that store return values in caller-supplied buffers instead. In some cases, such as @code{tmpname}, the variant is chosen not by calling an alternate entry point, but by passing a non-@code{NULL} pointer to the buffer in which the returned values are to be stored. These variants are generally preferable in multi-threaded programs, although some of them are not MT-Safe because of other internal buffers, also documented with @code{race} notes. @item @code{const} @cindex const Functions marked with @code{const} as an MT-Safety issue non-atomically modify internal objects that are better regarded as constant, because a substantial portion of @theglibc{} accesses them without synchronization. Unlike @code{race}, that causes both readers and writers of internal objects to be regarded as MT-Unsafe and AS-Unsafe, this mark is applied to writers only. Writers remain equally MT- and AS-Unsafe to call, but the then-mandatory constness of objects they modify enables readers to be regarded as MT-Safe and AS-Safe (as long as no other reasons for them to be unsafe remain), since the lack of synchronization is not a problem when the objects are effectively constant. The identifier that follows the @code{const} mark will appear by itself as a safety note in readers. Programs that wish to work around this safety issue, so as to call writers, may use a non-recursve @code{rwlock} associated with the identifier, and guard @emph{all} calls to functions marked with @code{const} followed by the identifier with a write lock, and @emph{all} calls to functions marked with the identifier by itself with a read lock. The non-recursive locking removes the MT-Safety problem, but it trades one AS-Safety problem for another, so use in asynchronous signals remains undefined. @c But what if, instead of marking modifiers with const:id and readers @c with just id, we marked writers with race:id and readers with ro:id? @c Instead of having to define each instance of “id”, we'd have a @c general pattern governing all such “id”s, wherein race:id would @c suggest the need for an exclusive/write lock to make the function @c safe, whereas ro:id would indicate “id” is expected to be read-only, @c but if any modifiers are called (while holding an exclusive lock), @c then ro:id-marked functions ought to be guarded with a read lock for @c safe operation. ro:env or ro:locale, for example, seems to convey @c more clearly the expectations and the meaning, than just env or @c locale. @item @code{sig} @cindex sig Functions marked with @code{sig} as a MT-Safety issue (that implies an identical AS-Safety issue, omitted for brevity) may temporarily install a signal handler for internal purposes, which may interfere with other uses of the signal, identified after a colon. This safety problem can be worked around by ensuring that no other uses of the signal will take place for the duration of the call. Holding a non-recursive mutex while calling all functions that use the same temporary signal; blocking that signal before the call and resetting its handler afterwards is recommended. There is no safe way to guarantee the original signal handler is restored in case of asynchronous cancellation, therefore so-marked functions are also AC-Unsafe. @c fixme: at least deferred cancellation should get it right, and would @c obviate the restoring bit below, and the qualifier above. Besides the measures recommended to work around the MT- and AS-Safety problem, in order to avert the cancellation problem, disabling asynchronous cancellation @emph{and} installing a cleanup handler to restore the signal to the desired state and to release the mutex are recommended. @item @code{term} @cindex term Functions marked with @code{term} as an MT-Safety issue may change the terminal settings in the recommended way, namely: call @code{tcgetattr}, modify some flags, and then call @code{tcsetattr}; this creates a window in which changes made by other threads are lost. Thus, functions marked with @code{term} are MT-Unsafe. The same window enables changes made by asynchronous signals to be lost. These functions are also AS-Unsafe, but the corresponding mark is omitted as redundant. It is thus advisable for applications using the terminal to avoid concurrent and reentrant interactions with it, by not using it in signal handlers or blocking signals that might use it, and holding a lock while calling these functions and interacting with the terminal. This lock should also be used for mutual exclusion with functions marked with @code{@mtasurace{:tcattr(fd)}}, where @var{fd} is a file descriptor for the controlling terminal. The caller may use a single mutex for simplicity, or use one mutex per terminal, even if referenced by different file descriptors. Functions marked with @code{term} as an AC-Safety issue are supposed to restore terminal settings to their original state, after temporarily changing them, but they may fail to do so if cancelled. @c fixme: at least deferred cancellation should get it right, and would @c obviate the restoring bit below, and the qualifier above. Besides the measures recommended to work around the MT- and AS-Safety problem, in order to avert the cancellation problem, disabling asynchronous cancellation @emph{and} installing a cleanup handler to restore the terminal settings to the original state and to release the mutex are recommended. @end itemize @node Other Safety Remarks, , Conditionally Safe Features, POSIX @subsubsection Other Safety Remarks @cindex Other Safety Remarks Additional keywords may be attached to functions, indicating features that do not make a function unsafe to call, but that may need to be taken into account in certain classes of programs: @itemize @bullet @item @code{locale} @cindex locale Functions annotated with @code{locale} as an MT-Safety issue read from the locale object without any form of synchronization. Functions annotated with @code{locale} called concurrently with locale changes may behave in ways that do not correspond to any of the locales active during their execution, but an unpredictable mix thereof. We do not mark these functions as MT- or AS-Unsafe, however, because functions that modify the locale object are marked with @code{const:locale} and regarded as unsafe. Being unsafe, the latter are not to be called when multiple threads are running or asynchronous signals are enabled, and so the locale can be considered effectively constant in these contexts, which makes the former safe. @c Should the locking strategy suggested under @code{const} be used, @c failure to guard locale uses is not as fatal as data races in @c general: unguarded uses will @emph{not} follow dangling pointers or @c access uninitialized, unmapped or recycled memory. Each access will @c read from a consistent locale object that is or was active at some @c point during its execution. Without synchronization, however, it @c cannot even be assumed that, after a change in locale, earlier @c locales will no longer be used, even after the newly-chosen one is @c used in the thread. Nevertheless, even though unguarded reads from @c the locale will not violate type safety, functions that access the @c locale multiple times may invoke all sorts of undefined behavior @c because of the unexpected locale changes. @item @code{env} @cindex env Functions marked with @code{env} as an MT-Safety issue access the environment with @code{getenv} or similar, without any guards to ensure safety in the presence of concurrent modifications. We do not mark these functions as MT- or AS-Unsafe, however, because functions that modify the environment are all marked with @code{const:env} and regarded as unsafe. Being unsafe, the latter are not to be called when multiple threads are running or asynchronous signals are enabled, and so the environment can be considered effectively constant in these contexts, which makes the former safe. @item @code{hostid} @cindex hostid The function marked with @code{hostid} as an MT-Safety issue reads from the system-wide data structures that hold the ``host ID'' of the machine. These data structures cannot generally be modified atomically. Since it is expected that the ``host ID'' will not normally change, the function that reads from it (@code{gethostid}) is regarded as safe, whereas the function that modifies it (@code{sethostid}) is marked with @code{@mtasuconst{:@mtshostid{}}}, indicating it may require special care if it is to be called. In this specific case, the special care amounts to system-wide (not merely intra-process) coordination. @item @code{sigintr} @cindex sigintr Functions marked with @code{sigintr} as an MT-Safety issue access the @code{_sigintr} internal data structure without any guards to ensure safety in the presence of concurrent modifications. We do not mark these functions as MT- or AS-Unsafe, however, because functions that modify the this data structure are all marked with @code{const:sigintr} and regarded as unsafe. Being unsafe, the latter are not to be called when multiple threads are running or asynchronous signals are enabled, and so the data structure can be considered effectively constant in these contexts, which makes the former safe. @item @code{fd} @cindex fd Functions annotated with @code{fd} as an AC-Safety issue may leak file descriptors if asynchronous thread cancellation interrupts their execution. Functions that allocate or deallocate file descriptors will generally be marked as such. Even if they attempted to protect the file descriptor allocation and deallocation with cleanup regions, allocating a new descriptor and storing its number where the cleanup region could release it cannot be performed as a single atomic operation. Similarly, releasing the descriptor and taking it out of the data structure normally responsible for releasing it cannot be performed atomically. There will always be a window in which the descriptor cannot be released because it was not stored in the cleanup handler argument yet, or it was already taken out before releasing it. It cannot be taken out after release: an open descriptor could mean either that the descriptor still has to be closed, or that it already did so but the descriptor was reallocated by another thread or signal handler. Such leaks could be internally avoided, with some performance penalty, by temporarily disabling asynchronous thread cancellation. However, since callers of allocation or deallocation functions would have to do this themselves, to avoid the same sort of leak in their own layer, it makes more sense for the library to assume they are taking care of it than to impose a performance penalty that is redundant when the problem is solved in upper layers, and insufficient when it is not. This remark by itself does not cause a function to be regarded as AC-Unsafe. However, cumulative effects of such leaks may pose a problem for some programs. If this is the case, suspending asynchronous cancellation for the duration of calls to such functions is recommended. @item @code{mem} @cindex mem Functions annotated with @code{mem} as an AC-Safety issue may leak memory if asynchronous thread cancellation interrupts their execution. The problem is similar to that of file descriptors: there is no atomic interface to allocate memory and store its address in the argument to a cleanup handler, or to release it and remove its address from that argument, without at least temporarily disabling asynchronous cancellation, which these functions do not do. This remark does not by itself cause a function to be regarded as generally AC-Unsafe. However, cumulative effects of such leaks may be severe enough for some programs that disabling asynchronous cancellation for the duration of calls to such functions may be required. @item @code{cwd} @cindex cwd Functions marked with @code{cwd} as an MT-Safety issue may temporarily change the current working directory during their execution, which may cause relative pathnames to be resolved in unexpected ways in other threads or within asynchronous signal or cancellation handlers. This is not enough of a reason to mark so-marked functions as MT- or AS-Unsafe, but when this behavior is optional (e.g., @code{nftw} with @code{FTW_CHDIR}), avoiding the option may be a good alternative to using full pathnames or file descriptor-relative (e.g. @code{openat}) system calls. @item @code{!posix} @cindex !posix This remark, as an MT-, AS- or AC-Safety note to a function, indicates the safety status of the function is known to differ from the specified status in the POSIX standard. For example, POSIX does not require a function to be Safe, but our implementation is, or vice-versa. For the time being, the absence of this remark does not imply the safety properties we documented are identical to those mandated by POSIX for the corresponding functions. @item @code{:identifier} @cindex :identifier Annotations may sometimes be followed by identifiers, intended to group several functions that e.g. access the data structures in an unsafe way, as in @code{race} and @code{const}, or to provide more specific information, such as naming a signal in a function marked with @code{sig}. It is envisioned that it may be applied to @code{lock} and @code{corrupt} as well in the future. In most cases, the identifier will name a set of functions, but it may name global objects or function arguments, or identifiable properties or logical components associated with them, with a notation such as e.g. @code{:buf(arg)} to denote a buffer associated with the argument @var{arg}, or @code{:tcattr(fd)} to denote the terminal attributes of a file descriptor @var{fd}. The most common use for identifiers is to provide logical groups of functions and arguments that need to be protected by the same synchronization primitive in order to ensure safe operation in a given context. @item @code{/condition} @cindex /condition Some safety annotations may be conditional, in that they only apply if a boolean expression involving arguments, global variables or even the underlying kernel evaluates evaluates to true. Such conditions as @code{/hurd} or @code{/!linux!bsd} indicate the preceding marker only applies when the underlying kernel is the HURD, or when it is neither Linux nor a BSD kernel, respectively. @code{/!ps} and @code{/one_per_line} indicate the preceding marker only applies when argument @var{ps} is NULL, or global variable @var{one_per_line} is nonzero. When all marks that render a function unsafe are adorned with such conditions, and none of the named conditions hold, then the function can be regarded as safe. @end itemize @node Berkeley Unix, SVID, POSIX, Standards and Portability @subsection Berkeley Unix @cindex BSD Unix @cindex 4.@var{n} BSD Unix @cindex Berkeley Unix @cindex SunOS @cindex Unix, Berkeley @Theglibc{} defines facilities from some versions of Unix which are not formally standardized, specifically from the 4.2 BSD, 4.3 BSD, and 4.4 BSD Unix systems (also known as @dfn{Berkeley Unix}) and from @dfn{SunOS} (a popular 4.2 BSD derivative that includes some Unix System V functionality). These systems support most of the @w{ISO C} and POSIX facilities, and 4.4 BSD and newer releases of SunOS in fact support them all. The BSD facilities include symbolic links (@pxref{Symbolic Links}), the @code{select} function (@pxref{Waiting for I/O}), the BSD signal functions (@pxref{BSD Signal Handling}), and sockets (@pxref{Sockets}). @node SVID, XPG, Berkeley Unix, Standards and Portability @subsection SVID (The System V Interface Description) @cindex SVID @cindex System V Unix @cindex Unix, System V The @dfn{System V Interface Description} (SVID) is a document describing the AT&T Unix System V operating system. It is to some extent a superset of the POSIX standard (@pxref{POSIX}). @Theglibc{} defines most of the facilities required by the SVID that are not also required by the @w{ISO C} or POSIX standards, for compatibility with System V Unix and other Unix systems (such as SunOS) which include these facilities. However, many of the more obscure and less generally useful facilities required by the SVID are not included. (In fact, Unix System V itself does not provide them all.) The supported facilities from System V include the methods for inter-process communication and shared memory, the @code{hsearch} and @code{drand48} families of functions, @code{fmtmsg} and several of the mathematical functions. @node XPG, , SVID, Standards and Portability @subsection XPG (The X/Open Portability Guide) The X/Open Portability Guide, published by the X/Open Company, Ltd., is a more general standard than POSIX. X/Open owns the Unix copyright and the XPG specifies the requirements for systems which are intended to be a Unix system. @Theglibc{} complies to the X/Open Portability Guide, Issue 4.2, with all extensions common to XSI (X/Open System Interface) compliant systems and also all X/Open UNIX extensions. The additions on top of POSIX are mainly derived from functionality available in @w{System V} and BSD systems. Some of the really bad mistakes in @w{System V} systems were corrected, though. Since fulfilling the XPG standard with the Unix extensions is a precondition for getting the Unix brand chances are good that the functionality is available on commercial systems. @node Using the Library, Roadmap to the Manual, Standards and Portability, Introduction @section Using the Library This section describes some of the practical issues involved in using @theglibc{}. @menu * Header Files:: How to include the header files in your programs. * Macro Definitions:: Some functions in the library may really be implemented as macros. * Reserved Names:: The C standard reserves some names for the library, and some for users. * Feature Test Macros:: How to control what names are defined. @end menu @node Header Files, Macro Definitions, , Using the Library @subsection Header Files @cindex header files Libraries for use by C programs really consist of two parts: @dfn{header files} that define types and macros and declare variables and functions; and the actual library or @dfn{archive} that contains the definitions of the variables and functions. (Recall that in C, a @dfn{declaration} merely provides information that a function or variable exists and gives its type. For a function declaration, information about the types of its arguments might be provided as well. The purpose of declarations is to allow the compiler to correctly process references to the declared variables and functions. A @dfn{definition}, on the other hand, actually allocates storage for a variable or says what a function does.) @cindex definition (compared to declaration) @cindex declaration (compared to definition) In order to use the facilities in @theglibc{}, you should be sure that your program source files include the appropriate header files. This is so that the compiler has declarations of these facilities available and can correctly process references to them. Once your program has been compiled, the linker resolves these references to the actual definitions provided in the archive file. Header files are included into a program source file by the @samp{#include} preprocessor directive. The C language supports two forms of this directive; the first, @smallexample #include "@var{header}" @end smallexample @noindent is typically used to include a header file @var{header} that you write yourself; this would contain definitions and declarations describing the interfaces between the different parts of your particular application. By contrast, @smallexample #include @end smallexample @noindent is typically used to include a header file @file{file.h} that contains definitions and declarations for a standard library. This file would normally be installed in a standard place by your system administrator. You should use this second form for the C library header files. Typically, @samp{#include} directives are placed at the top of the C source file, before any other code. If you begin your source files with some comments explaining what the code in the file does (a good idea), put the @samp{#include} directives immediately afterwards, following the feature test macro definition (@pxref{Feature Test Macros}). For more information about the use of header files and @samp{#include} directives, @pxref{Header Files,,, cpp.info, The GNU C Preprocessor Manual}.@refill @Theglibc{} provides several header files, each of which contains the type and macro definitions and variable and function declarations for a group of related facilities. This means that your programs may need to include several header files, depending on exactly which facilities you are using. Some library header files include other library header files automatically. However, as a matter of programming style, you should not rely on this; it is better to explicitly include all the header files required for the library facilities you are using. The @glibcadj{} header files have been written in such a way that it doesn't matter if a header file is accidentally included more than once; including a header file a second time has no effect. Likewise, if your program needs to include multiple header files, the order in which they are included doesn't matter. @strong{Compatibility Note:} Inclusion of standard header files in any order and any number of times works in any @w{ISO C} implementation. However, this has traditionally not been the case in many older C implementations. Strictly speaking, you don't @emph{have to} include a header file to use a function it declares; you could declare the function explicitly yourself, according to the specifications in this manual. But it is usually better to include the header file because it may define types and macros that are not otherwise available and because it may define more efficient macro replacements for some functions. It is also a sure way to have the correct declaration. @node Macro Definitions, Reserved Names, Header Files, Using the Library @subsection Macro Definitions of Functions @cindex shadowing functions with macros @cindex removing macros that shadow functions @cindex undefining macros that shadow functions If we describe something as a function in this manual, it may have a macro definition as well. This normally has no effect on how your program runs---the macro definition does the same thing as the function would. In particular, macro equivalents for library functions evaluate arguments exactly once, in the same way that a function call would. The main reason for these macro definitions is that sometimes they can produce an inline expansion that is considerably faster than an actual function call. Taking the address of a library function works even if it is also defined as a macro. This is because, in this context, the name of the function isn't followed by the left parenthesis that is syntactically necessary to recognize a macro call. You might occasionally want to avoid using the macro definition of a function---perhaps to make your program easier to debug. There are two ways you can do this: @itemize @bullet @item You can avoid a macro definition in a specific use by enclosing the name of the function in parentheses. This works because the name of the function doesn't appear in a syntactic context where it is recognizable as a macro call. @item You can suppress any macro definition for a whole source file by using the @samp{#undef} preprocessor directive, unless otherwise stated explicitly in the description of that facility. @end itemize For example, suppose the header file @file{stdlib.h} declares a function named @code{abs} with @smallexample extern int abs (int); @end smallexample @noindent and also provides a macro definition for @code{abs}. Then, in: @smallexample #include int f (int *i) @{ return abs (++*i); @} @end smallexample @noindent the reference to @code{abs} might refer to either a macro or a function. On the other hand, in each of the following examples the reference is to a function and not a macro. @smallexample #include int g (int *i) @{ return (abs) (++*i); @} #undef abs int h (int *i) @{ return abs (++*i); @} @end smallexample Since macro definitions that double for a function behave in exactly the same way as the actual function version, there is usually no need for any of these methods. In fact, removing macro definitions usually just makes your program slower. @node Reserved Names, Feature Test Macros, Macro Definitions, Using the Library @subsection Reserved Names @cindex reserved names @cindex name space The names of all library types, macros, variables and functions that come from the @w{ISO C} standard are reserved unconditionally; your program @strong{may not} redefine these names. All other library names are reserved if your program explicitly includes the header file that defines or declares them. There are several reasons for these restrictions: @itemize @bullet @item Other people reading your code could get very confused if you were using a function named @code{exit} to do something completely different from what the standard @code{exit} function does, for example. Preventing this situation helps to make your programs easier to understand and contributes to modularity and maintainability. @item It avoids the possibility of a user accidentally redefining a library function that is called by other library functions. If redefinition were allowed, those other functions would not work properly. @item It allows the compiler to do whatever special optimizations it pleases on calls to these functions, without the possibility that they may have been redefined by the user. Some library facilities, such as those for dealing with variadic arguments (@pxref{Variadic Functions}) and non-local exits (@pxref{Non-Local Exits}), actually require a considerable amount of cooperation on the part of the C compiler, and with respect to the implementation, it might be easier for the compiler to treat these as built-in parts of the language. @end itemize In addition to the names documented in this manual, reserved names include all external identifiers (global functions and variables) that begin with an underscore (@samp{_}) and all identifiers regardless of use that begin with either two underscores or an underscore followed by a capital letter are reserved names. This is so that the library and header files can define functions, variables, and macros for internal purposes without risk of conflict with names in user programs. Some additional classes of identifier names are reserved for future extensions to the C language or the POSIX.1 environment. While using these names for your own purposes right now might not cause a problem, they do raise the possibility of conflict with future versions of the C or POSIX standards, so you should avoid these names. @itemize @bullet @item Names beginning with a capital @samp{E} followed a digit or uppercase letter may be used for additional error code names. @xref{Error Reporting}. @item Names that begin with either @samp{is} or @samp{to} followed by a lowercase letter may be used for additional character testing and conversion functions. @xref{Character Handling}. @item Names that begin with @samp{LC_} followed by an uppercase letter may be used for additional macros specifying locale attributes. @xref{Locales}. @item Names of all existing mathematics functions (@pxref{Mathematics}) suffixed with @samp{f} or @samp{l} are reserved for corresponding functions that operate on @code{float} and @code{long double} arguments, respectively. @item Names that begin with @samp{SIG} followed by an uppercase letter are reserved for additional signal names. @xref{Standard Signals}. @item Names that begin with @samp{SIG_} followed by an uppercase letter are reserved for additional signal actions. @xref{Basic Signal Handling}. @item Names beginning with @samp{str}, @samp{mem}, or @samp{wcs} followed by a lowercase letter are reserved for additional string and array functions. @xref{String and Array Utilities}. @item Names that end with @samp{_t} are reserved for additional type names. @end itemize In addition, some individual header files reserve names beyond those that they actually define. You only need to worry about these restrictions if your program includes that particular header file. @itemize @bullet @item The header file @file{dirent.h} reserves names prefixed with @samp{d_}. @pindex dirent.h @item The header file @file{fcntl.h} reserves names prefixed with @samp{l_}, @samp{F_}, @samp{O_}, and @samp{S_}. @pindex fcntl.h @item The header file @file{grp.h} reserves names prefixed with @samp{gr_}. @pindex grp.h @item The header file @file{limits.h} reserves names suffixed with @samp{_MAX}. @pindex limits.h @item The header file @file{pwd.h} reserves names prefixed with @samp{pw_}. @pindex pwd.h @item The header file @file{signal.h} reserves names prefixed with @samp{sa_} and @samp{SA_}. @pindex signal.h @item The header file @file{sys/stat.h} reserves names prefixed with @samp{st_} and @samp{S_}. @pindex sys/stat.h @item The header file @file{sys/times.h} reserves names prefixed with @samp{tms_}. @pindex sys/times.h @item The header file @file{termios.h} reserves names prefixed with @samp{c_}, @samp{V}, @samp{I}, @samp{O}, and @samp{TC}; and names prefixed with @samp{B} followed by a digit. @pindex termios.h @end itemize @comment Include the section on Creature Nest Macros. @include creature.texi @node Roadmap to the Manual, , Using the Library, Introduction @section Roadmap to the Manual Here is an overview of the contents of the remaining chapters of this manual. @c The chapter overview ordering is: @c Error Reporting (2) @c Virtual Memory Allocation and Paging (3) @c Character Handling (4) @c Strings and Array Utilities (5) @c Character Set Handling (6) @c Locales and Internationalization (7) @c Searching and Sorting (9) @c Pattern Matching (10) @c Input/Output Overview (11) @c Input/Output on Streams (12) @c Low-level Input/Ooutput (13) @c File System Interface (14) @c Pipes and FIFOs (15) @c Sockets (16) @c Low-Level Terminal Interface (17) @c Syslog (18) @c Mathematics (19) @c Aritmetic Functions (20) @c Date and Time (21) @c Non-Local Exist (23) @c Signal Handling (24) @c The Basic Program/System Interface (25) @c Processes (26) @c Job Control (28) @c System Databases and Name Service Switch (29) @c Users and Groups (30) -- References `User Database' and `Group Database' @c System Management (31) @c System Configuration Parameters (32) @c C Language Facilities in the Library (AA) @c Summary of Library Facilities (AB) @c Installing (AC) @c Library Maintenance (AD) @c The following chapters need overview text to be added: @c Message Translation (8) @c Resource Usage And Limitations (22) @c Inter-Process Communication (27) @c DES Encryption and Password Handling (33) @c Debugging support (34) @c POSIX Threads (35) @c Internal Probes (36) @c Platform-specific facilities (AE) @c Contributors to (AF) @c Free Software Needs Free Documentation (AG) @c GNU Lesser General Public License (AH) @c GNU Free Documentation License (AI) @itemize @bullet @item @ref{Error Reporting}, describes how errors detected by the library are reported. @item @ref{Memory}, describes @theglibc{}'s facilities for managing and using virtual and real memory, including dynamic allocation of virtual memory. If you do not know in advance how much memory your program needs, you can allocate it dynamically instead, and manipulate it via pointers. @item @ref{Character Handling}, contains information about character classification functions (such as @code{isspace}) and functions for performing case conversion. @item @ref{String and Array Utilities}, has descriptions of functions for manipulating strings (null-terminated character arrays) and general byte arrays, including operations such as copying and comparison. @item @ref{Character Set Handling}, contains information about manipulating characters and strings using character sets larger than will fit in the usual @code{char} data type. @item @ref{Locales}, describes how selecting a particular country or language affects the behavior of the library. For example, the locale affects collation sequences for strings and how monetary values are formatted. @item @ref{Searching and Sorting}, contains information about functions for searching and sorting arrays. You can use these functions on any kind of array by providing an appropriate comparison function. @item @ref{Pattern Matching}, presents functions for matching regular expressions and shell file name patterns, and for expanding words as the shell does. @item @ref{I/O Overview}, gives an overall look at the input and output facilities in the library, and contains information about basic concepts such as file names. @item @ref{I/O on Streams}, describes I/O operations involving streams (or @w{@code{FILE *}} objects). These are the normal C library functions from @file{stdio.h}. @item @ref{Low-Level I/O}, contains information about I/O operations on file descriptors. File descriptors are a lower-level mechanism specific to the Unix family of operating systems. @item @ref{File System Interface}, has descriptions of operations on entire files, such as functions for deleting and renaming them and for creating new directories. This chapter also contains information about how you can access the attributes of a file, such as its owner and file protection modes. @item @ref{Pipes and FIFOs}, contains information about simple interprocess communication mechanisms. Pipes allow communication between two related processes (such as between a parent and child), while FIFOs allow communication between processes sharing a common file system on the same machine. @item @ref{Sockets}, describes a more complicated interprocess communication mechanism that allows processes running on different machines to communicate over a network. This chapter also contains information about Internet host addressing and how to use the system network databases. @item @ref{Low-Level Terminal Interface}, describes how you can change the attributes of a terminal device. If you want to disable echo of characters typed by the user, for example, read this chapter. @item @ref{Mathematics}, contains information about the math library functions. These include things like random-number generators and remainder functions on integers as well as the usual trigonometric and exponential functions on floating-point numbers. @item @ref{Arithmetic,, Low-Level Arithmetic Functions}, describes functions for simple arithmetic, analysis of floating-point values, and reading numbers from strings. @item @ref{Date and Time}, describes functions for measuring both calendar time and CPU time, as well as functions for setting alarms and timers. @item @ref{Non-Local Exits}, contains descriptions of the @code{setjmp} and @code{longjmp} functions. These functions provide a facility for @code{goto}-like jumps which can jump from one function to another. @item @ref{Signal Handling}, tells you all about signals---what they are, how to establish a handler that is called when a particular kind of signal is delivered, and how to prevent signals from arriving during critical sections of your program. @item @ref{Program Basics}, tells how your programs can access their command-line arguments and environment variables. @item @ref{Processes}, contains information about how to start new processes and run programs. @item @ref{Job Control}, describes functions for manipulating process groups and the controlling terminal. This material is probably only of interest if you are writing a shell or other program which handles job control specially. @item @ref{Name Service Switch}, describes the services which are available for looking up names in the system databases, how to determine which service is used for which database, and how these services are implemented so that contributors can design their own services. @item @ref{User Database}, and @ref{Group Database}, tell you how to access the system user and group databases. @item @ref{System Management}, describes functions for controlling and getting information about the hardware and software configuration your program is executing under. @item @ref{System Configuration}, tells you how you can get information about various operating system limits. Most of these parameters are provided for compatibility with POSIX. @item @ref{Language Features}, contains information about library support for standard parts of the C language, including things like the @code{sizeof} operator and the symbolic constant @code{NULL}, how to write functions accepting variable numbers of arguments, and constants describing the ranges and other properties of the numerical types. There is also a simple debugging mechanism which allows you to put assertions in your code, and have diagnostic messages printed if the tests fail. @item @ref{Library Summary}, gives a summary of all the functions, variables, and macros in the library, with complete data types and function prototypes, and says what standard or system each is derived from. @item @ref{Installation}, explains how to build and install @theglibc{} on your system, and how to report any bugs you might find. @item @ref{Maintenance}, explains how to add new functions or port the library to a new system. @end itemize If you already know the name of the facility you are interested in, you can look it up in @ref{Library Summary}. This gives you a summary of its syntax and a pointer to where you can find a more detailed description. This appendix is particularly useful if you just want to verify the order and type of arguments to a function, for example. It also tells you what standard or system each function, variable, or macro is derived from.