| blob | 56e8e6147ecdd1d4b950cb679c5c21a42120c78e |
1 /* Copyright (C) 1991-2023 Free Software Foundation, Inc.
2 This file is part of the GNU C Library.
4 The GNU C Library is free software; you can redistribute it and/or
5 modify it under the terms of the GNU Lesser General Public
6 License as published by the Free Software Foundation; either
7 version 2.1 of the License, or (at your option) any later version.
9 The GNU C Library is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 Lesser General Public License for more details.
14 You should have received a copy of the GNU Lesser General Public
15 License along with the GNU C Library; if not, see
16 <https://www.gnu.org/licenses/>. */
18 #include <stdio.h>
19 #include <stdlib.h>
20 #include <string.h>
23 #include <pthreadP.h>
24 #include <mach.h>
25 #include <mach/thread_switch.h>
26 #include <mach/mig_support.h>
27 #include <mach/vm_param.h>
29 #include <hurd.h>
30 #include <hurd/id.h>
31 #include <hurd/signal.h>
37 #include <libc-diag.h>
44 /* Port that receives signals and other miscellaneous messages. */
45 mach_port_t _hurd_msgport;
47 /* Thread listening on it. */
48 thread_t _hurd_msgport_thread;
50 /* These are set up by _hurdsig_init. */
54 /* Linked-list of per-thread signal state. */
57 /* Sigstate for the task-global signals. */
60 /* Timeout for RPC's after interrupt_operation. */
62 \f
63 static void
65 {
74 }
78 {
85 {
93 /* Initialize default state. */
107 {
108 /* Process-wide sigstate, use the system defaults. */
111 /* The global sigstate is not added to the _hurd_sigstates list.
112 It is created with _hurd_thread_sigstate (MACH_PORT_NULL)
113 but should be accessed through _hurd_global_sigstate. */
114 }
115 else
116 {
117 error_t err;
119 /* Use the global actions as a default for new threads. */
122 {
126 }
127 else
137 }
138 }
141 }
144 /* Destroy a sigstate structure. Called by libpthread just before the
145 * corresponding thread is terminated. */
146 void
148 {
162 {
167 }
168 }
170 /* Make SS a global receiver, with pthread signal semantics. */
171 void
173 {
176 }
178 /* Check whether SS is a global receiver. */
179 static int
181 {
184 }
187 /* Lock/unlock a hurd_sigstate structure. If the accessors below require
188 it, the global sigstate will be locked as well. */
189 void
191 {
195 }
196 void
198 {
202 }
205 /* Retreive a thread's full set of pending signals, including the global
206 ones if appropriate. SS must be locked. */
207 sigset_t
209 {
214 }
216 /* Clear a pending signal and return the associated detailed
217 signal information. SS must be locked, and must have signal SIGNO
218 pending, either directly or through the global sigstate. */
219 static struct hurd_signal_detail
221 {
224 {
227 }
232 }
236 /* Retreive a thread's action vector. SS must be locked. */
239 {
242 else
244 }
247 \f
248 /* Signal delivery itself is on this page. */
250 #include <hurd/fd.h>
251 #include <hurd/crash.h>
252 #include <hurd/resource.h>
253 #include <hurd/paths.h>
254 #include <setjmp.h>
255 #include <fcntl.h>
256 #include <sys/wait.h>
257 #include <thread_state.h>
258 #include <hurd/msg_server.h>
260 #include <hurd/interrupt.h>
261 #include <assert.h>
262 #include <unistd.h>
265 /* Call the crash dump server to mummify us before we die.
266 Returns nonzero if a core file was written. */
267 static int
269 {
270 error_t err;
271 mach_port_t coreserver;
275 /* Don't bother locking since we just read the one word. */
279 /* No core dumping, thank you very much. Note that this makes
280 `ulimit -c 0' prevent crash-suspension too, which is probably
281 what the user wanted. */
284 /* XXX RLIMIT_CORE:
285 When we have a protocol to make the server return an error
286 for RLIMIT_FSIZE, then tell the corefile fs server the RLIMIT_CORE
287 value in place of the RLIMIT_FSIZE value. */
289 /* First get a port to the core dumping server. */
299 /* Get a port to the directory where the new core file will reside. */
306 /* Create the new file, but don't link it into the directory yet. */
311 /* Call the core dumping server to write the core file. */
314 file,
318 MACH_MSG_TYPE_COPY_SEND);
322 /* The core dump into FILE succeeded, so now link it into the
323 directory. */
328 }
331 /* The lowest-numbered thread state flavor value is 1,
332 so we use bit 0 in machine_thread_all_state.set to
333 record whether we have done thread_abort. */
334 #define THREAD_ABORTED 1
336 /* SS->thread is suspended. Abort the thread and get its basic state. */
337 static void
340 {
344 {
347 /* Clear all thread state flavor set bits, because thread_abort may
348 have changed the state. */
350 }
356 }
358 /* Find the location of the MiG reply port cell in use by the thread whose
359 state is described by THREAD_STATE. If SIGTHREAD is nonzero, make sure
360 that this location can be set without faulting, or else return NULL. */
366 {
370 /* Faulted trying to read the TCB. */
373 DIAG_PUSH_NEEDS_COMMENT;
374 /* GCC 6 and before seem to be confused by the setjmp call inside
375 _hurdsig_catch_memory_fault and think that we may be returning a second
376 time to here with portloc uninitialized (but we never do). */
378 /* Fault now if this pointer is bogus. */
380 DIAG_POP_NEEDS_COMMENT;
386 }
387 \f
388 #include <hurd/sigpreempt.h>
389 #include <intr-msg.h>
391 /* Timeout on interrupt_operation calls. */
394 /* SS->thread is suspended.
396 Abort any interruptible RPC operation the thread is doing.
398 This uses only the constant member SS->thread and the unlocked, atomically
399 set member SS->intr_port, so no locking is needed.
401 If successfully sent an interrupt_operation and therefore the thread should
402 wait for its pending RPC to return (possibly EINTR) before taking the
403 incoming signal, returns the reply port to be received on. Otherwise
404 returns MACH_PORT_NULL.
406 SIGNO is used to find the applicable SA_RESTART bit. If SIGNO is zero,
407 the RPC fails with EINTR instead of restarting (thread_cancel).
409 *STATE_CHANGE is set nonzero if STATE->basic was modified and should
410 be applied back to the thread if it might ever run again, else zero. */
412 mach_port_t
416 {
420 mach_port_t intr_port;
426 /* No interruption needs done. */
429 /* Abort the thread's kernel context, so any pending message send or
430 receive completes immediately or aborts. */
435 {
436 /* The thread is about to do the RPC, but hasn't yet entered
437 mach_msg. Mutate the thread's state so it knows not to try
438 the RPC. */
444 }
446 /* The thread was blocked in the system call. After thread_abort,
447 the return value register indicates what state the RPC was in
448 when interrupted. */
450 {
451 /* The RPC request message was sent and the thread was waiting for
452 the reply message; now the message receive has been aborted, so
453 the mach_msg call will return MACH_RCV_INTERRUPTED. We must tell
454 the server to interrupt the pending operation. The thread must
455 wait for the reply message before running the signal handler (to
456 guarantee that the operation has finished being interrupted), so
457 our nonzero return tells the trampoline code to finish the message
458 receive operation before running the handler. */
461 state,
462 sigthread);
466 {
468 {
469 /* The interrupt didn't work.
470 Destroy the receive right the thread is blocked on. */
473 }
475 /* The system call return value register now contains
476 MACH_RCV_INTERRUPTED; when mach_msg resumes, it will retry the
477 call. Since we have just destroyed the receive right, the
478 retry will fail with MACH_RCV_INVALID_NAME. Instead, just
479 change the return value here to EINTR so mach_msg will not
480 retry and the EINTR error code will propagate up. */
483 }
487 /* All threads whose RPCs were interrupted by the interrupt_operation
488 call above will retry their RPCs unless we clear SS->intr_port.
489 So we clear it for the thread taking a signal when SA_RESTART is
490 clear, so that its call returns EINTR. */
493 }
496 }
499 /* Abort the RPCs being run by all threads but this one;
500 all other threads should be suspended. If LIVE is nonzero, those
501 threads may run again, so they should be adjusted as necessary to be
502 happy when resumed. STATE is clobbered as a scratch area; its initial
503 contents are ignored, and its contents on return are not useful. */
505 static void
507 {
508 /* We can just loop over the sigstates. Any thread doing something
509 interruptible must have one. We needn't bother locking because all
510 other threads are stopped. */
516 /* First loop over the sigstates to count them.
517 We need to know how big a vector we will need for REPLY_PORTS. */
528 else
529 {
533 /* Abort any operation in progress with interrupt_operation.
534 Record the reply port the thread is waiting on.
535 We will wait for all the replies below. */
538 NULL);
540 {
542 {
543 /* We will wait for the reply to this RPC below, so the
544 thread must issue a new RPC rather than waiting for the
545 reply to the one it sent. */
548 }
550 /* Aborting the RPC needed to change this thread's state,
551 and it might ever run again. So write back its state. */
554 MACHINE_THREAD_STATE_COUNT);
555 }
556 }
558 /* Wait for replies from all the successfully interrupted RPCs. */
561 {
562 error_t err;
563 mach_msg_header_t head;
568 {
575 }
576 }
577 }
579 /* Wake up any sigsuspend or pselect call that is blocking SS->thread. SS must
580 be locked. */
581 static void
583 {
584 error_t err;
585 mach_msg_header_t msg;
590 /* There is a sigsuspend waiting. Tell it to wake up. */
594 /* These values do not matter. */
599 MACH_PORT_NULL);
601 }
604 sigset_t _hurdsig_preempted_set;
606 /* XXX temporary to deal with spelling fix */
609 /* Mask of stop signals. */
610 #define STOPSIGS (__sigmask (SIGTTIN) | __sigmask (SIGTTOU) \
611 | __sigmask (SIGSTOP) | __sigmask (SIGTSTP))
613 /* Actual delivery of a single signal. Called with SS unlocked. When
614 the signal is delivered, return SS, locked (or, if SS was originally
615 _hurd_global_sigstate, the sigstate of the actual thread the signal
616 was delivered to). If the signal is being traced, return NULL with
617 SS unlocked. */
622 {
627 /* sigaction for preemptors */
630 };
634 /* Mark the signal as pending. */
636 {
638 /* Save the details to be given to the handler when SIGNO is
639 unblocked. */
641 }
643 /* Suspend the process with SIGNO. */
645 {
646 /* Stop all other threads and mark ourselves stopped. */
648 ({
649 /* Hold the siglock while stopping other threads to be
650 sure it is not held by another thread afterwards. */
657 }));
659 }
660 /* Resume the process after a suspension. */
662 {
663 /* Resume the process from being stopped. */
666 error_t err;
671 /* Tell the proc server we are continuing. */
673 /* Fetch ports to all our threads and resume them. */
677 {
679 {
680 /* The thread that will run the handler is kept suspended. */
682 }
684 {
687 }
691 }
696 }
698 error_t err;
699 sighandler_t handler;
702 {
704 {
705 /* This is PTRACE_CONTINUE. */
708 }
710 /* This call is just to check for pending signals. */
713 }
719 /* If this is a global signal, try to find a thread ready to accept
720 it right away. This is especially important for untraced signals,
721 since going through the global pending mask would de-untrace them. */
723 {
728 {
732 /* The global sigstate is already locked. */
735 {
738 }
740 }
742 }
744 /* We want the preemptors to be able to update the blocking mask
745 without affecting the delivery of this signal, so we save the
746 current value to test against later. */
749 /* Check for a preempted signal. Preempted signals can arrive during
750 critical sections. */
751 {
754 do
755 {
757 {
759 {
764 }
765 else
767 }
771 }
775 /* If no thread-specific preemptor, check for a global one. */
777 {
781 }
782 }
787 /* Ignore the signal altogether. */
790 {
791 /* Run the preemption-provided handler. */
794 }
795 else
796 {
797 /* No preemption. Do normal handling. */
802 {
803 /* We are being traced. Stop to tell the debugger of the signal. */
805 /* Already stopped. Mark the signal as pending;
806 when resumed, we will notice it and stop again. */
808 else
813 }
818 /* Figure out the default action for this signal. */
820 {
822 /* A sig_post msg with SIGNO==0 is sent to
823 tell us to check for pending signals. */
856 {
857 /* We are the process group leader. Since there is no
858 user-specified handler for SIGINFO, we use a default one
859 which prints something interesting. We use the normal
860 handler mechanism instead of just doing it here to avoid
861 the signal thread faulting or blocking in this
862 potentially hairy operation. */
865 }
866 else
873 }
876 else
880 /* Stop signals clear a pending SIGCONT even if they
881 are handled or ignored (but not if preempted). */
883 else
884 {
886 /* Even if handled or ignored (but not preempted), SIGCONT clears
887 stop signals and resumes the process. */
892 }
893 }
898 {
899 /* If we would ordinarily stop for a job control signal, but we are
900 orphaned so noone would ever notice and continue us again, we just
901 quietly die, alone and in the dark. */
905 }
907 /* Handle receipt of a blocked signal, or any signal while stopped. */
909 {
912 }
914 /* Perform the chosen action for the signal. */
916 {
919 {
920 /* We are already stopped, but receiving an untraced stop
921 signal. Instead of resuming and suspending again, just
922 notify the proc server of the new stop signal. */
926 }
927 else
928 /* Suspend the process. */
934 /* Blocking or ignoring a machine exception is fatal.
935 Otherwise we could just spin on the faulting instruction. */
938 /* Nobody cares about this signal. If there was a call to resume
939 above in SIGCONT processing and we've left a thread suspended,
940 now's the time to set it going. */
942 {
947 }
950 sigbomb:
951 /* We got a fault setting up the stack frame for the handler.
952 Nothing to do but die; BSD gets SIGILL in this case. */
956 fatal:
958 /* FALLTHROUGH */
962 /* Have the proc server stop all other threads in our task. */
965 /* No more user instructions will be executed.
966 The signal can now be considered delivered. */
968 /* Abort all server operations now in progress. */
971 {
973 /* Do a core dump if desired. Only set the wait status bit saying we
974 in fact dumped core if the operation was actually successful. */
977 /* Tell proc how we died and then stick the saber in the gut. */
979 /* NOTREACHED */
980 }
983 /* Call a handler for this signal. */
984 {
990 /* Stop the thread and abort its pending RPC operations. */
992 {
995 }
997 /* Abort the thread's kernel context, so any pending message send
998 or receive completes immediately or aborts. If an interruptible
999 RPC is in progress, abort_rpcs will do this. But we must always
1000 do it before fetching the thread's state, because
1001 thread_get_state is never kosher before thread_abort. */
1005 {
1006 /* We have a previous sigcontext that sigreturn was about
1007 to restore when another signal arrived. */
1012 {
1013 /* We faulted reading the thread's stack. Forget that
1014 context and pretend it wasn't there. It almost
1015 certainly crash if this handler returns, but that's it's
1016 problem. */
1018 }
1019 else
1020 {
1021 /* Copy the context from the thread's stack before
1022 we start diddling the stack to set up the handler. */
1025 }
1033 /* This is the reply port for the context which called
1034 sigreturn. Since we are abandoning that context entirely
1035 and restoring SS->context instead, destroy this port. */
1038 /* The thread was in sigreturn, not in any interruptible RPC. */
1042 }
1043 else
1044 {
1047 wait_for_reply
1049 /* In a critical section, any RPC
1050 should be cancelled instead of
1051 restarted, regardless of
1052 SA_RESTART, so the entire
1053 "atomic" operation can be aborted
1054 as a unit. */
1057 reply)
1061 {
1062 /* The thread is in a critical section. Mark the signal as
1063 pending. When it finishes the critical section, it will
1064 check for pending signals. */
1067 /* Some cases of interrupting an RPC must change the
1068 thread state to back out the call. Normally this
1069 change is rolled into the warping to the handler and
1070 sigreturn, but we are not running the handler now
1071 because the thread is in a critical section. Instead,
1072 mutate the thread right away for the RPC interruption
1073 and resume it; the RPC will return early so the
1074 critical section can end soon. */
1077 MACHINE_THREAD_STATE_COUNT);
1078 /* */
1082 }
1083 }
1085 /* Call the machine-dependent function to set the thread up
1086 to run the signal handler, and preserve its old context. */
1092 /* Set the machine-independent parts of the signal context. */
1094 {
1095 /* Fetch the thread variable for the MiG reply port,
1096 and set it to MACH_PORT_NULL. */
1101 {
1104 }
1105 else
1108 /* Save the intr_port in use by the interrupted code,
1109 and clear the cell before running the trampoline. */
1114 {
1115 /* After the handler runs we will restore to the state in
1116 SS->context, not the state of the thread now. So restore
1117 that context's reply port and intr port. */
1123 }
1124 }
1126 /* Backdoor extra argument to signal handler. */
1129 /* Block requested signals while running the handler. */
1133 /* Also block SIGNO unless we're asked not to. */
1137 /* Reset to SIG_DFL if requested. SIGILL and SIGTRAP cannot
1138 be automatically reset when delivered; the system silently
1139 enforces this restriction. */
1144 /* Any sigsuspend call must return after the handler does. */
1147 /* Start the thread running the handler (or possibly waiting for an
1148 RPC reply before running the handler). */
1151 MACHINE_THREAD_STATE_COUNT);
1157 }
1158 }
1161 }
1163 /* Return the set of pending signals in SS which should be delivered. */
1164 static sigset_t
1166 {
1167 /* We don't worry about any pending signals if we are stopped, nor if
1168 SS is in a critical section. We are guaranteed to get a sig_post
1169 message before any of them become deliverable: either the SIGCONT
1170 signal, or a sig_post with SIGNO==0 as an explicit poll when the
1171 thread finishes its critical section. */
1176 }
1178 /* Post the specified pending signals in SS and return 1. If one of
1179 them is traced, abort immediately and return 0. SS must be locked on
1180 entry and will be unlocked in all cases. */
1181 static int
1183 {
1187 /* Make sure SS corresponds to an actual thread, since we assume it won't
1188 change in post_signal. */
1193 {
1197 /* Will reacquire the lock, except if the signal is traced. */
1200 }
1202 /* No more signals pending; SS->lock is still locked. */
1206 }
1208 /* Post all the pending signals of all threads and return 1. If a traced
1209 signal is encountered, abort immediately and return 0. */
1210 static int
1212 {
1217 {
1220 {
1225 /* post_pending() below will unlock SS. */
1229 }
1236 }
1237 }
1239 /* Deliver a signal. SS is not locked. */
1240 void
1243 mach_port_t reply_port,
1244 mach_msg_type_name_t reply_port_type,
1246 {
1247 /* Reply to this sig_post message. */
1251 {
1252 error_t err;
1259 }
1265 /* The signal was neither fatal nor traced. We still hold SS->lock. */
1267 {
1268 /* The signal has either been ignored or is now being handled. We can
1269 consider it delivered and reply to the killer. */
1272 /* Post any pending signals for this thread. */
1275 }
1276 else
1277 {
1278 /* If this was a process-wide signal or a poll request, we need
1279 to check for pending signals for all threads. */
1284 /* All pending signals delivered to all threads.
1285 Now we can send the reply message even for signal 0. */
1287 }
1288 }
1289 \f
1290 /* Decide whether REFPORT enables the sender to send us a SIGNO signal.
1291 Returns zero if so, otherwise the error code to return to the sender. */
1293 static error_t
1295 {
1300 /* Can send any signal. */
1303 /* Avoid needing to check for this below. */
1308 {
1317 /* Job control signals can be sent by the controlling terminal. */
1323 {
1324 /* A continue signal can be sent by anyone in the session. */
1325 mach_port_t sessport;
1327 {
1331 }
1332 }
1337 {
1338 /* Any io object a file descriptor refers to might send us
1339 one of these signals using its async ID port for REFPORT.
1341 This is pretty wide open; it is not unlikely that some random
1342 process can at least open for reading something we have open,
1343 get its async ID port, and send us a spurious SIGIO or SIGURG
1344 signal. But BSD is actually wider open than that!--you can set
1345 the owner of an io object to any process or process group
1346 whatsoever and send them gratuitous signals.
1348 Someday we could implement some reasonable scheme for
1349 authorizing SIGIO and SIGURG signals properly. */
1355 {
1357 io_t port;
1358 mach_port_t asyncid;
1363 {
1365 /* Break out of the loop on the next iteration. */
1368 }
1370 }
1372 /* If we found a lucky winner, we've set D to -1 in the loop. */
1375 }
1376 }
1378 /* If this signal is legit, we have done `goto win' by now.
1379 When we return the error, mig deallocates REFPORT. */
1382 win:
1383 /* Deallocate the REFPORT send right; we are done with it. */
1387 }
1389 /* Implement the sig_post RPC from <hurd/msg.defs>;
1390 sent when someone wants us to get a signal. */
1391 kern_return_t
1395 mach_port_t refport)
1396 {
1397 error_t err;
1406 /* Post the signal to a global receiver thread (or mark it pending in
1407 the global sigstate). This will reply when the signal can be
1408 considered delivered. */
1414 }
1416 /* Implement the sig_post_untraced RPC from <hurd/msg.defs>;
1417 sent when the debugger wants us to really get a signal
1418 even if we are traced. */
1419 kern_return_t
1421 mach_port_t reply_port,
1422 mach_msg_type_name_t reply_port_type,
1424 mach_port_t refport)
1425 {
1426 error_t err;
1435 /* Post the signal to the designated signal-receiving thread. This will
1436 reply when the signal can be considered delivered. */
1442 }
1443 \f
1446 #include <mach/task_special_ports.h>
1448 /* Initialize the message port, _hurd_global_sigstate, and start the
1449 signal thread. */
1451 void
1453 {
1454 error_t err;
1455 vm_size_t stacksize;
1461 MACH_PORT_RIGHT_RECEIVE,
1465 /* Make a send right to the signal port. */
1467 _hurd_msgport,
1468 _hurd_msgport,
1469 MACH_MSG_TYPE_MAKE_SEND);
1472 /* Initialize the global signal state. */
1475 /* We block all signals, and let actual threads pull them from the
1476 pending mask. */
1479 /* Initialize the main thread's signal state. */
1482 /* Mark it as a process-wide signal receiver. Threads in this set use
1483 the common action vector in _hurd_global_sigstate. */
1486 /* Copy inherited signal settings from our parent (or pre-exec process
1487 state) */
1493 {
1498 }
1500 /* Start the signal thread listening on the message port. */
1502 #pragma weak __pthread_create
1504 {
1510 _hurd_msgport_receive,
1519 /* Reinitialize the MiG support routines so they will use a per-thread
1520 variable for the cached reply port. */
1525 }
1526 else
1527 {
1528 pthread_t thread;
1529 pthread_attr_t attr;
1533 /* When pthread is being used, we need to make the signal thread a
1534 proper pthread. Otherwise it cannot use mutex_lock et al, which
1535 will be the pthread versions. Various of the message port RPC
1536 handlers need to take locks, so we need to be able to call into
1537 pthread code and meet its assumptions about how our thread and
1538 its stack are arranged. Since pthread puts it there anyway,
1539 we'll let the signal thread's per-thread variables be found as for
1540 any normal pthread, and just leave the magic __hurd_sigthread_*
1541 values all zero so they'll be ignored. */
1543 #pragma weak __pthread_detach
1544 #pragma weak __pthread_getattr_np
1545 #pragma weak __pthread_attr_getstack
1548 /* Record signal thread stack layout for fork() */
1556 /* XXX We need the thread port for the signal thread further on
1557 in this thread (see hurdfault.c:_hurdsigfault_init).
1558 Therefore we block until _hurd_msgport_thread is initialized
1559 by the newly created thread. This really shouldn't be
1560 necessary; we should be able to fetch the thread port for a
1561 pthread from here. */
1564 }
1566 /* Receive exceptions on the signal port. */
1567 #ifdef TASK_EXCEPTION_PORT
1570 #elif defined (EXC_MASK_ALL)
1572 EXC_MASK_ALL & ~(EXC_MASK_SYSCALL
1573 | EXC_MASK_MACH_SYSCALL
1575 _hurd_msgport,
1577 #else
1578 # error task_set_exception_port?
1579 #endif
1581 /* Sanity check. Any pending, unblocked signals should have been
1582 taken by our predecessor incarnation (i.e. parent or pre-exec state)
1583 before packing up our init ints. This assert is last (not above)
1584 so that signal handling is all set up to handle the abort. */
1586 }
1588 /* Reauthenticate with the proc server. */
1590 static void
1592 {
1598 MACH_MSG_TYPE_MAKE_SEND)
1600 MACH_MSG_TYPE_MAKE_SEND,
1606 /* Set the owner of the process here too. */
1617 }
1619 \f
1620 /* Like `getenv', but safe for the signal thread to run.
1621 If the environment is trashed, this will just return NULL. */
1625 {
1630 /* We bombed in getenv. */
1632 else
1633 {
1638 {
1643 {
1652 }
1655 }
1658 }
1659 }